On April 1, 2026, at 4 PM UTC, the total assets of the Drift Protocol treasury were $309 million. An hour later, only $41 million remained.

This is not an April Fools joke. The Drift team had to clarify this themselves - "This is not an April Fools joke." But in the face of on-chain data, the difference between a joke and a disaster lies only in whether the money is still there.

What Happened

On April 1 at around 4 PM UTC, on-chain monitoring agencies Lookonchain and PeckShield almost simultaneously detected abnormal signals: a wallet HkGz4K… created just eight days prior began to massively transfer assets from several Drift treasuries. The first transaction was 41.7 million JLP tokens, worth about $155.6 million.

The attacker systematically emptied Drift’s core treasuries: JLP Delta Neutral, SOL Super Staking, and BTC Super Staking, involving over 15 types of tokens—USDC, SOL, cbBTC, wBTC, liquid staking tokens, and even the meme coin Fartcoin was not spared. A total of approximately $270 million to $285 million worth of assets was drained within an hour.

PeckShield gave a preliminary judgment: administrator private key leak. The attacker acquired the privileged management key of the protocol, which allowed them to not only call the treasury withdrawal function but also change the administrator key itself—effectively changing the lock and locking the original owner out. The Drift team was even unable to urgently freeze the contract after the attack occurred.

This is the oldest method of attack. It is not flash loan arbitrage, not oracle manipulation, not a vulnerability in smart contract logic. It is simply a key falling into the hands of someone who should not have it.

The Attacker's Withdrawal Route

More concerning than the invasion is the attacker’s exit strategy.

After stealing the assets, the attacker quickly exchanged various tokens for USDC via the Jupiter aggregator and then bridged across to Ethereum. By 5:49 PM UTC, the attacker had purchased 19,913 ETH (about $42.6 million); by 6:17 PM, this number doubled to 38,820 ETH (about $82.66 million). Meanwhile, another portion of SOL was directly deposited into Binance and HyperLiquid.

Multi-chain dispersion, multi-platform cashing out, real-time hedging. This is not a spur-of-the-moment hacker, but a well-rehearsed withdrawal plan.

The Weight of Drift

Drift is not an unknown protocol.

Founded jointly by Cindy Leow and David Lu in 2021, it is the largest decentralized perpetual contract exchange in the Solana ecosystem. In early 2024, Polychain Capital led a $23.5 million Series A funding round, bringing the total funding to $52.3 million. Prior to the incident, Drift had accumulated a trading volume exceeding $55 billion, with total locked value surpassing $1 billion and more than 200,000 active traders.

Cindy Leow said in a 2024 interview with Fortune that she wanted to make Drift "the Robinhood of the crypto world." Now, this metaphor has taken on a rather negative new meaning—Robinhood froze users' trading privileges during the GameStop incident in 2021, while Drift had their management privileges frozen by the attackers.

This is also the largest security incident the Solana ecosystem has faced since the $325 million theft from the Wormhole cross-chain bridge in 2022.

The Old Problems of DeFi Security

Viewing the Drift incident in the context of history, the picture is not unfamiliar.

In 2022, the Ronin Bridge was hacked for $625 million—validator node private key leak. In February 2025, Bybit was hacked for $1.4 billion—the front end of Safe{Wallet} was injected with malicious code, fundamentally still a break in the key management chain. Now it’s Drift, with the same script: the administrator key was breached, and the protocol fell.

$285 million ranks approximately fifth to sixth on the list of DeFi thefts. But the size of the number is no longer the focus. The focus is that decentralized protocols repeatedly fail at the same link—not in code logic, not in cryptography, but in who manages the key that controls everything and how it is safeguarded.

Perpetual contract protocols sell the financial freedom that requires no permission. But when a single administrator key can empty all the treasuries in an hour, who exactly do the words "without permission" protect?

Aftermath and Suspense

The Drift team quickly suspended deposit and withdrawal functions after the incident and stated that they were coordinating with "multiple security firms, cross-chain bridges, and exchanges" to track the funds. However, as of the time of writing, there has been no news of any funds being successfully frozen or recovered.

The DRIFT token plummeted over 25% after the news broke, falling from about $0.072 to $0.055. DeFi Development Corp. (a publicly listed company holding a large amount of SOL) quickly clarified that it had no association with Drift.

The attacker’s wallet remains active. On-chain data shows that assets are continuously being converted and dispersed. This is a retreat that is still ongoing.

Several key questions remain unanswered: how did the administrator private key leak? Was it due to operational negligence, social engineering attacks, or insider involvement? The attacker created the wallet eight days in advance and conducted small transactions on OKX and Jupiter—was this testing or laying the groundwork? Is there a possibility that the funds transferred to centralized exchanges could be frozen?

On April 1, a wallet created just eight days prior opened all treasuries of the largest perpetual contract platform on Solana with a single administrator key. The entire process took less than an hour. On-chain, the relationship between locks and keys has never been a metaphor.

免责声明：本文章仅代表作者个人观点，不代表本平台的立场和观点。本文章仅供信息分享，不构成对任何人的任何投资建议。用户与作者之间的任何争议，与本平台无关。如网页中刊载的文章或图片涉及侵权，请提供相关的权利证明和身份证明发送邮件到support@aicoin.com，本平台相关工作人员将会进行核查。