On April 2, 2026, the perpetual contract protocol of the Solana ecosystem, Drift Protocol, encountered a massive attack across the chain, with approximately 270-285 million dollars in funds being transferred in a short period. The attacker did not rely on sophisticated contract vulnerabilities but rather gained control of the multi-sig permissions managing the protocol's treasury through social engineering, subsequently executing swift operations on-chain, converting the hijacked assets into positions equivalent to about 130,000 ETH. This incident sharply highlighted the disparity between a protocol that was supposed to be decentralized and autonomously operated, and the highly centralized reality of multi-sig management behind it: when “decentralized security” misaligns with “centralized authority,” who ultimately bears the risk?

The moment the multi-sig was compromised: 270...

On April 2, Eastern Time, the attack surrounding Drift was completed in an extremely short window: the core issue was not a contract vulnerability at the asset layer, but a loss of control at the governance level. According to cross-checked information from multiple sources, the attacker successfully executed a "dimensionality reduction attack" on the multi-sig account responsible for the protocol's treasury through social engineering, deceiving at a weak link in the verification process or identity confirmation, thus gaining signature authority sufficient to access the treasury assets. Once the multi-sig threshold was met, all on-chain operations unfolded in the guise of “legitimate execution,” leaving traditional technical defenses little time to react.

After taking over the multi-sig, the migration of funds on-chain was incredibly rapid. Assets in the Drift-related treasury were transferred in batches and quickly converted within the Solana ecosystem, ultimately concentrating into a large-scale ETH exposure. According to current public statistics, the overall loss is in the range of 270-285 million dollars, with approximately 130,000 ETH obtained through conversion. In community discussions, some opinions suggest that this attack could be related to durable nonce accounts and multi-sig configuration flaws, but these claims are still in a “pending verification” state, lacking authoritative technical disclosure. The core fact that can be confirmed remains: permissions were taken, the multi-sig was lost, and funds were allowed to escape under what the protocol itself deemed “legitimate” instructions.

From Solana to Ethereum: ...

After gaining control of the multi-sig, the attacker’s primary task was to enhance the mobility and liquidity of the assets. On-chain records indicate that this batch of funds firstly completed internal exchanges within the Solana ecosystem via aggregation trading platforms like Jupiter, concentrating value dispersed across different token forms into more liquid and consensus-based assets, and then leveraging the Wormhole cross-chain bridge to transfer core assets from Solana to the Ethereum network. The depth and routing capabilities provided by Jupiter allowed the attacker to complete large exchanges in a short time, while Wormhole became the critical channel for cross-chain migration, gradually severing the funds from the original attack environment.

As the funds arrived on Ethereum, on-chain analysis teams quickly intervened, marking and tracking key addresses related to this incident. Among them were multiple addresses starting with 0x0FE3, identified by the community and security teams as highly associated with the Drift attack’s receiving or transfer wallets. As time progressed, the on-chain trajectory of these addresses was continuously magnified; every large transfer, exchange, and splitting action was immediately disclosed and discussed. Research briefs mentioned a typical operation where 2.45 million USDC was exchanged for 1,195 ETH, a detail that not only revealed that the attacker was still adjusting positions continuously but also reflected their ongoing considerations regarding timing, depth, and price while weighing market impact against personal needs.

From an overall pacing perspective, the attacker did not immediately engage in an all-out sell-off after completing the cross-chain transfer. Instead, they adopted a strategy of gradual adjustment and probing liquidity, searching for a balance point between price and risk control under the watchful eyes of various monitors. This path of “slowly moving elephants” aimed both to minimize slippage and exposure from a one-time discharge, while also objectively providing on-chain analysis, CEX risk control teams, and judicial bodies with more reaction time.

130,000 ETH concentrated in hand: ...

On the ETH side, one of the most direct consequences of the incident was that approximately 130,000 ETH worth of chips concentrated into the hands of a few marked addresses. The on-chain analytics firm Lookonchain pointed out that this concentration of holdings not only signifies massive potential selling pressure but also constitutes a broad “on-chain asset pollution risk”: once these addresses’ ETH is regarded as high-risk assets, their circulation across different protocols and accounts would create a chain reaction for the entire ecosystem's risk control and compliance.

From a micro-structural market perspective, if such a significant amount of ETH were to be sold off aggressively, even using a batching strategy, it would inevitably have a notable impact on the liquidity and order book of the Ethereum mainnet in a short time. The liquidity pools of large DEXs and the spot and perpetual markets of mainstream CEXs would need to accommodate this potential selling pressure. If there occurs a mismatch between the selling pressure and natural buyer demand within a specific time window, it could amplify slippage, triggering a series of liquidations or causing short-term price distortions. On an emotional level, the expectation that “stolen chips could dump at any time” itself is a persistent shadow pressing down on bullish sentiment.

More troublesome is that the “toxicity” of the ETH held by the marked addresses can easily spill over into a wider ecosystem. For CEX, once the hacker chips attempt to breach centralized cash-out channels after splitting through multiple addresses, exchanges need to make complex trade-offs between protecting user privacy and fulfilling compliance obligations; for DeFi protocols, if these funds are used to provide liquidity, collateral loans, or participate in derivatives trading, it would bring long-term uncertainties to liquidation processes, collateral safety, and liquidity pool credibility; at the level of the MEV ecosystem, whether block producers and searchers packaging and ordering these “polluting transactions” could be viewed by regulators as assisting in money laundering or collusion will become a new focal point of debate within the industry.

Pause, re-sign and accountability: Dri...

Faced with the sudden massive losses, the Drift team quickly opted to hit the “emergency brake.” Official announcements indicated that following the incident on April 2, the protocol swiftly suspended deposits, withdrawals, and some contract functions to prevent further abnormal fund flows and to buy time for subsequent investigation and repairs. Simultaneously, the team initiated an update process for multi-sig settings, attempting to cut off any possible remaining control paths for the attacker through adjustments in the signer composition, increasing thresholds, or modifying the way authorities are distributed. This series of emergency measures looked externally like a stopgap and mine-clearance operation, while internally, it represented a forced governance restructuring and safety architecture reassessment.

The re-signing and permission restructuring of the multi-sig posed new challenges for the relationship between the Drift team and the community. On one hand, the project team needs to demonstrate to the affected users and potential investors that previous governance and risk control deficiencies are being acknowledged and rectified; on the other hand, the community will also scrutinize more sensitively: who has the authority to sign, who can veto, and who can “hit the pause button” at critical moments. This redesign of governance structure will directly impact the team's subsequent operational efficiency and decision-making space—too much concentration in the multi-sig concentrates risk; too much dispersion slows execution.

For affected users, the path to safeguarding their rights is equally fraught with uncertainty. One route is to hope that the project team recoups some funds, provides compensation, or issues token incentives for internal resolution; another option is to rely on judicial and regulatory forces to push for accountability against the attacker and any potentially negligent management entities. The contentious point regarding liability division lies in: when an attack is achieved through social engineering rather than contract logic vulnerabilities, to what extent should the protocol bear the “breach of security obligation” responsibility? Should individual multi-sig signers also bear joint liability for risk control failures? Currently, there are no mature precedents to follow, yet these questions will be repeatedly raised following the Drift incident.

The old wound of decentralized protocols: Safety...

Expanding from Drift's experience, this is not an isolated case but rather an old wound repeatedly uncovered in the DeFi world: huge assets being entrusted to a very small number of multi-sig holders. In the ideal narrative, protocols are autonomous, immutable, and “code is law” forms the strongest defense; however, in actual operations, a large number of key actions, from parameter adjustments, emergency pauses, to treasury management and fee distribution, still heavily rely on the signature permissions held by a few individuals. The decentralization in technology sharply contrasts with centralization in governance at the multi-sig level.

The ideal of “code is law” emphasizes the transparency of rules, automation in execution, and the absence of trust; yet the Drift incident exposed that even when the contract itself is secure enough, human configuration errors, process design flaws, and social engineering attacks can still dismantle an entire defense from the human dimension. When attackers no longer contend with audit reports or formal verification but focus on finding weaknesses near the signers, the so-called “trustless system” is again pulled back to the levels of humanity, processes, and organizational governance, with the gap between ideal and reality becoming evident.

In terms of reflection and repair, the industry is already discussing various potential security evolution directions. One is further decentralization of the multi-sig itself, such as introducing more heterogeneous signers, geographical and institutional distribution, and multi-tiered approval mechanisms to minimize the risk of a single point failure; another is layered permissions and fine-grained control, where different permissions for treasury management, parameter adjustments, and emergency switches are separated to limit a single multi-sig set's “almighty god” level of control; a third is to strengthen real-time auditing and on-chain monitoring by tracking multi-sig invocation behaviors, abnormal authorization patterns, and large transaction paths, triggering alerts and automated defenses before an attack is completed. No single solution is a silver bullet, but the Drift incident at least forces the industry to acknowledge: relying solely on a set of multi-sig addresses is insufficient to account for hundreds of millions in risk.

After 270 million: Drift...

Returning to the Solana ecosystem itself, as one of the leading perpetual contract protocols, this loss of approximately 270-285 million dollars undoubtedly delivers a significant blow to confidence in the sector. On one hand, perpetual contracts are more sensitive to security and usability due to high leverage and high-frequency trading settings, and any prolonged pause or asset security incident amplifies traders' fears of “counterparty risk”; on the other hand, this incident also pushes the entire Solana DeFi security stack back into the spotlight—cross-chain bridges, aggregation routing, and multi-sig governance; every link struggles to stand alone. More broadly, this incident reshapes the market's understanding of DeFi security: risk no longer solely originates from contract logic but expands into social engineering, organizational governance, and cross-chain infrastructure.

In the medium term, regulatory bodies, auditing teams, and on-chain analysis companies may all increase their involvement in similar events. On one hand, regulators will pay closer attention to the boundaries of multi-sig holder responsibilities, the flow of funds through cross-chain bridges, and the risk acceptance of centralized platforms; on the other hand, auditing companies may upgrade from purely contract audits to “full-stack security assessments,” incorporating governance structures, permission configurations, and operational processes into the audit scope; on-chain analysis teams will assume a foundational role in “tracking and marking,” visualizing the flow of hacker funds to provide data support for judicial investigations and trading platform risk control.

For ordinary participants and observers, three types of signals worth closely tracking in the future are: firstly, progress on fund recovery, including whether any assets have been frozen, recovered, or returned through negotiations; secondly, the implementation of governance reforms, whether Drift will reveal a new multi-sig structure, permission layering plan, and third-party safety collaborations; thirdly, the rhythm of user and liquidity return, whether affected and observing funds are willing to return to the protocol and whether the Solana perpetual sector can rebuild trust in the short-term after the turbulence. After 270 million, Drift must face not only the hole in assets but also an industry that has been thoroughly awakened: safety is no longer "the audit report before going live," but a long-term game involving permissions, processes, and people.

Join our community, let’s discuss together, and become stronger!
Official Telegram community: https://t.me/aicoincn
AiCoin Chinese Twitter: https://x.com/AiCoinzh

OKX welfare group: https://aicoin.com/link/chat?cid=l61eM4owQ
Binance welfare group: https://aicoin.com/link/chat?cid=ynr7d1P6Z

免责声明：本文章仅代表作者个人观点，不代表本平台的立场和观点。本文章仅供信息分享，不构成对任何人的任何投资建议。用户与作者之间的任何争议，与本平台无关。如网页中刊载的文章或图片涉及侵权，请提供相关的权利证明和身份证明发送邮件到support@aicoin.com，本平台相关工作人员将会进行核查。