Original|Odaily Planet Daily(@OdailyChina)
Author|Wenser(@wenser 2010)
The situation in the Middle East remains fiery, and a security attack event exceeding 200 million USD has dealt another blow to the crypto circle.
On April 1st, April Fools' Day, the leading derivatives protocol in the Solana ecosystem, Drift Protocol, made a “joke” that did not resemble a joke: just a week ago, it had updated to a multi-signature requiring only 2/5 signatures without a time lock; a week later, assets related to JLP worth more than 280 million USD were stolen. It is hard not to speculate whether there was an insider threat at play.
According to the latest news, Drift officially confirmed that it suffered an active attack and had suspended all fund deposit and withdrawal operations across the platform; moreover, affected project parties have made it clear: “This is not an April Fool's joke.”
A remark that seems like a joke may unveil yet another heavy blow to the Solana DeFi ecosystem.
Details of the Drift Protocol Attack: 11 Transfers, Treasury Instantly Emptied
Preliminary investigations show that the attack method involved the hijacking of administrator permissions and a multi-signature execution vulnerability.
Slow Fog founder Yu Xianstated: “A week ago, Drift migrated to a 2/5 multi-signature without a time lock (Note from Odaily Planet Daily: meaning operations could be executed immediately), including one old wallet address and four new signature wallet addresses. The attacker took over management privileges just hours ago, minted counterfeit CVT tokens, manipulated the oracle, disabled related security mechanisms, and made off with the valuable assets in the pool.”
On-chain information shows that the attacker first purchased 41.72 million Jupiter liquidity tokens (JLP), valued at approximately 155.6 million USD, then quickly transferred large amounts of USDC and other tokens out, crossing funds to Ethereum, where approximately 19,913 ETH, worth about 42.6 million USD, were purchased.
The whole process involved about 11 large transactions, including:
- 51.61 million USDC, worth approximately 51.62 million USD;
- 125,000 WSOL, worth approximately 10.45 million USD;
- 164,000 cbBTC, worth approximately 11.29 million USD.
- Hacker wallet address: HkGz4KmoZ7Zmk7HN6ndJ31UJ1qZ2qgwQxgVqQwovpZES.
In just a few minutes, Drift's total treasury assets plummeted from 309 million USD to 41 million USD.
At around 3 AM, Drift officially announced that it had been attacked and declared a joint response with multiple security companies, cross-chain bridges, and exchanges.
Causes of the Attack: Official Conclusion Pending, Administrator Private Key Leak May Be the Main Cause
Currently, Drift has not officially announced the primary cause of the attack.
Security firm PeckShield has assessed that the administrator's key for Drift Protocol is highly likely to have been leaked or compromised, allowing the attacker to manipulate the protocol's treasury through privileged access. This judgment qualifies the nature of the attack as a breakthrough at the permissions level rather than a vulnerability in the smart contract code.
Other community messages indicate that the attacker may have manipulated collateral parameters, artificially inflated the value of certain illiquid assets, and borrowed high-value tokens based on this, ultimately completing the theft of treasury funds. This trajectory closely aligns with previous DeFi governance attack models. Currently, investigators have not ruled out possibilities such as smart contract vulnerabilities or oracle manipulation, and investigations are ongoing.
It is worth noting that the Solana wallet used by the attacker had only made an initial deposit of 1 SOL the previous week and had previously received a small test transfer of about 2.52 USD from Drift's treasury, indicating that the attacker may have been lurking in advance and completed permission verification before the official action. Additionally, funds from the Drift attacker’s associated address came from Backpack, which may leave KYC-related clues.
Market Reaction: DRIFT Token Plummets 28%, SOL Briefly Under Pressure
After news of the Drift theft broke, the market descended into panic, with DRIFT and SOL quickly declining.
The native token of Drift Protocol, DRIFT's price dropped over 38% in 24 hours and is currently about 0.042 USD, having fallen over 98% from its historical high of 2.60 USD set in November 2024. The price of SOL also decreased under the impact of news and has fallen below 80 USD, dropping nearly 5% in 24 hours and currently quoted at 78.6 USD.
The Phantom wallet has proactively issued risk warnings to users attempting to access the Drift protocol; Forward Industries and DeFi Development Corp, both listed companies in the Solana treasury, also confirmed that their funds were unaffected by the attack.
Largest DeFi Attack in the Solana Ecosystem in 2026
According to crypto KOL @lugeweb3statistics, the projects that suffered clear losses or severe impacts from the Drift theft incident include:
- @piggybank_fi: 106,000 USD stolen, the team is injecting liquidity to compensate for user losses.
- @DeFiCarrot: Products Boost and Turbo were not affected, but overall were impacted by the vulnerability, and minting/exchange functions have been suspended.
- @uselulo: Traditional deposits may be affected (protected and enhanced deposits are not affected).
- @reflectmoney: All issuance/redemption of USDC+ and USDT+ have been frozen.
- @project0: Borrowing secured by the Drift market has been suspended.
- @ranger_finance: rgUSD deposits/withdrawals are suspended, with 900,000 USD frozen out of 14.6 million USD TVL on Drift.
- @elementaldefi: SOL and Lend funds deposited in Drift have been frozen (funds in USDC and ONYC are safe).
- @TradeNeutral: All Drift-related treasuries (JLP, BTC/ETH/SOL super staking, Hyper JLP, etc., total TVL 3.6 million USD) may be affected, and deposits/withdrawals are suspended.
- @xplaceapp: Deposits/withdrawals cannot be conducted, credit models and lending functions are disabled.
- @GetPyra: Funds are affected, all card functions are paused.
- @ExponentFinance: USDC+ related transactions are suspended.
- @fusewallet: Deposits are suspended.
- @perena: Stablecoins are unaffected, but redemptions are suspended; JLP Vault on Neutral Trade (510,000 USD TVL) may be affected.
Projects that have explicitly declared they are unaffected include:
- @JupiterExchange
- @kamino
- @UnitasLabs
- @onrefinance
- @solflare
- @hylo_so
- @MarinadeFinance
- @synatraxyz
- @solsticefi
- @defidevcorp
- @jito_sol
- @MeteoraAG
- @sanctumso
- @wormhole
Based on scale estimates, this event may become one of the largest DeFi security incidents in the Solana ecosystem since the attack on the Wormhole cross-chain bridge.
Before the Drift incident, its TVL was approximately 550 million USD, and this attack resulted in direct losses of up to 285 million USD, ranking the loss scale as the highest among all DeFi security incidents so far in 2026. It is worth mentioning that the total losses from March's DeFi attacks amounted to about 52 million USD, covering 20 major incidents; now, this Drift security incident will elevate the loss figures for the first half of the year to a new level.
Undoubtedly, the Drift theft incident again sounds the old but timeless alarm for the DeFi industry - beyond code security, operational security is equally critical; if it is ultimately confirmed that the reason for the theft was a leak of the administrator's private key, it will again validate: no matter how well code auditing is done, the human factor remains the weakest link in on-chain security.
Finally, Odaily Planet Daily reminds users: do not deposit funds or interact with the protocol until Drift releases the complete investigation report and provides a clear solution.
免责声明:本文章仅代表作者个人观点,不代表本平台的立场和观点。本文章仅供信息分享,不构成对任何人的任何投资建议。用户与作者之间的任何争议,与本平台无关。如网页中刊载的文章或图片涉及侵权,请提供相关的权利证明和身份证明发送邮件到support@aicoin.com,本平台相关工作人员将会进行核查。
