Written by: jsai@金财经&Claude

Many bears have been stolen!

On April 1, 2026, Drift Protocol, one of the largest DEX protocols in the Solana ecosystem, suffered a hacker attack and lost more than $200 million in less than an hour.

Although it happened on April 1st, this is not an April Fools' Day joke.

1. Who is Drift?

Drift Protocol is one of the most important decentralized derivatives exchanges in the Solana ecosystem. It takes perpetual contract trading (Perp) as its core business and supports multi-asset mortgage and deposit interest generation. Before the incident, Drift's total locked-up volume (TVL) exceeded US$550 million, and its average daily perpetual contract trading volume was close to US$70 million. It is one of the core infrastructures of the DeFi ecosystem on the Solana chain.

However, on April 1, 2026, this vault worth hundreds of millions was almost emptied in less than an hour.

2. The incident: a carefully planned liquidation

Pre-planning stage (8 days ago)

On-chain researchers discovered that the attacker’s wallet (HkGz4KmoZ7Zmk7HN6ndJ31UJ1qZ2qgwQxgVqQwovpZES) had been created eight days before the attack and had received initial funds through the Intents cross-chain system of the NEAR protocol. Since then, the address has remained silent, waiting for the opportunity. The attacker also sent a test transaction worth approximately $2.52 to the Drift Vault to verify his control of the contract.

The attack occurred (16:00 on April 1, UTC time, 0:00 on April 2, Beijing time)

The attack officially started at 16:00 UTC time. The first transaction transferred approximately US$155 million worth of JLP tokens (Jupiter Liquidity Pool Certificates) from the Drift vault, and then the attackers used approximately 11 coordinated transactions to withdraw all assets from multiple vaults in about an hour.

The composition of the stolen assets is shocking: including 41.72 million JLP (approximately US$155.6 million), 51.616 million USDC (approximately US$51.62 million), 125,000 wSOL (approximately US$10.45 million), 164,349 cbBTC (approximately US$11.29 million), and other tokens.

In just a few minutes, the assets in one of Drift's vaults plummeted from $309 million to $41 million.

Money laundering and asset transfer

The attacker did not retain the funds. On-chain data shows that hackers deposited SOL tokens into Hyperliquid and Binance exchanges and purchased more than $82 million worth of Ethereum (ETH). Part of the funds were transferred to the Ethereum network through the Wormhole cross-chain bridge and subsequently dispersed to multiple addresses. The attacker also minted approximately $4 million in USDC through cross-chain transactions. Currently, this part of the stablecoin has been frozen by Circle on the Ethereum network.

Protocol response

The Drift team issued a warning on

In view of the fact that the incident occurred on April 1, Drift officials specifically emphasized that "this is not an April Fool's Day joke" - this sentence itself expresses the absurdity and sadness of this accident.

3. The root cause of the theft: not a smart contract vulnerability, but human error

The official investigation is still ongoing, but on-chain researchers and security experts have pointed to the most likely attack vector: leakage of the administrator's private key. But whether this leakage of private keys is the work of hackers or self-inflicted theft deserves a big question mark.

The founder of blockchain security company PeckShield told Decrypt that the attack relied on gaining privileged access to the Drift protocol. "The administrator keys behind Drift must have been compromised or compromised in some way," he said. In other words, this is a human error rather than a technical smart contract vulnerability.

Slow Mist founder Yu Xian published an article analyzing the Drift theft incident and pointed out that one week before the attack, Drift adjusted the multi-signature mechanism to "2/5" (1 old signer + 4 new signers), and no timelock was set. The attacker then gained administrator privileges, forged CVT tokens, manipulated oracles, turned off security mechanisms, and transferred high-value assets from the fund pool.

Researchers noticed that after the hacker obtained administrator rights, he locked the Drift team out by modifying the administrator key, making it impossible to stop the ongoing attack, thereby completing the liquidation of multiple fund pools.

What’s even more serious is that it was later revealed that Drift Protocol lacked security audits by mainstream institutions such as CertiK, and there were obvious centralized loopholes in the governance permission design. While auditing itself is not foolproof, it can help eliminate obvious points of attack.

4. Which protocols and ecology are affected?

Direct impact

Many publicly listed Solana treasury companies on Solana, including Forward Industries and DeFi Development Corp, have stated that their treasury has not been affected by this incident. However, due to the deep integration of Drift into the Solana DeFi ecosystem, the chain reaction spread rapidly. Fifteen protocols including Jupiter, Perena, Project 0, Exponent, Carrot, Ranger, PiggyBank, Reflect, Project 0, Elemental, Neutral Trade, Pyra, Fuse, Neutral Trade, and XPlace issued documents confirming that they were affected to varying degrees by the theft of Drift.

Token Market

Drift’s native governance token DRIFT plummeted more than 28% after the incident, trading at about $0.049. The token has fallen more than 98% from its all-time high of $2.60 in November 2024.

Solana’s native token SOL also fell within hours after the incident, hitting a low of $83.82 before recovering slightly.

Cross-protocol risk

Since the attacker holds a large amount of FARTCOIN, accounting for approximately 2.5% of the total circulation, if he chooses an opportunity to sell it, it may have an impact on the price of the token. The large flow of stolen packaging assets such as wBTC and ETH into the market may also cause de-anchoring pressure on related protocols.

Infrastructure layer response

Solana ecological wallet Phantom has implemented warning prompts for users who try to access Drift Protocol. Circle also froze some USDC that had been transferred to Ethereum after being notified.

5. Historical coordinates: one of the biggest robberies in the Solana ecosystem

According to Rekt’s on-chain hacking incident rankings, if the scale of the loss is finally confirmed, this attack will become one of the largest attacks in the history of the Solana ecosystem, second only to the $326 million Wormhole cross-chain bridge hacking incident in 2022.

Horizontal comparison, even compared with the larger DeFi security incidents in recent years, the Drift incident has surpassed the $223 million loss of Cetus Protocol in the summer of 2025, becoming one of the most serious Web3 security incidents in the past two years.

6. Deep Enlightenment on DeFi Security

1. The central Achilles heel of "decentralized" protocols

The most profound irony of this attack is that Drift used "decentralization" as its banner, but it collapsed due to a centralized administrator's private key. If the core control is still concentrated in a single key holder, no matter how sophisticated the on-chain code is, it will only be a false line of defense. Administrator permissions should be decentralized through multi-signature (Multisig) or time lock (Timelock) mechanisms. This is not a suggestion, but a minimum standard.

2. The attacker’s patience far exceeds the team’s vigilance

The attacker created the wallet eight days before launching the actual attack and conducted small test transactions to verify his control. The entire premeditation process lasted more than a week, and the protocol team's monitoring system did not trigger any alarms. This means that traditional "post-action" security systems are almost ineffective in the face of highly premeditated attackers - real-time anomaly detection and on-chain behavior monitoring must become infrastructure, not optional.

3. The higher the TVL, the more bullseye

Before the attack, Drift became one of the most visible attack targets on the Solana chain with a TVL of $550 million. This is an unavoidable structural paradox between DeFi's high returns and high risks - the more concentrated the funds, the stronger the incentives for attackers. The protocol design should introduce a fund allocation mechanism to reduce the maximum loss limit after a single point is breached.

4. The lack of security audit is an indefensible dereliction of duty

This attack exposed the fatal shortcoming of Drift Protocol, which lacks auditing by mainstream security agencies. With a scale of over $500 million in TVL, opening a protocol to users that has not been fully audited is essentially a risk-shifting behavior. Auditing is not a marketing gimmick, it is the basic threshold for being responsible for user funds.

5. Cross-chain bridges and DEX aggregators are highways for capital flight

After the attack, the stolen funds were quickly exchanged on-chain through the Jupiter aggregator and transferred to Ethereum with the help of a cross-chain bridge. This path has been repeatedly used by hackers - while infrastructures such as Wormhole and Jupiter improve capital efficiency, they also facilitate the rapid flow of illegal funds. How to introduce a compliance filtering mechanism at the infrastructure layer without compromising the decentralization characteristics is a difficult problem that the industry needs to face together.

6. The emergency pause mechanism should be a standard feature, not a luxury item

In this incident, the Drift team was unable to intervene in time to prevent the attack from continuing to expand because the administrator key was replaced and the multi-signature did not set a time lock. This shows that the emergency response capability of the protocol must be independent of the administrator key - for example, through the built-in circuit breaker mechanism at the smart contract level, once the threshold is triggered (excessive withdrawals per unit time), the protocol operations will be automatically suspended without relying on any manual intervention.

Seven. Ending

Today is April 1, 2026. The Drift team emphasized three times in the announcement that "this is not an April Fool's Day joke."

In a sense, the real joke is not the coincidence of the date, but this: a protocol that manages $550 million in user funds was broken down by a leaked private key; a decentralized system that claims to be "trustless" fell down on the oldest and most human error-key management negligence.

The narrative of DeFi has never changed: code is law, transparency on the chain, and user autonomy. But any narrative depends on people, and talent is the key to the success of a narrative.