Hackers Outpace Protocol Defenses Again
On Wednesday, April 1, Solana’s largest decentralized perpetual futures exchange, Drift Protocol, suffered a catastrophic exploit that drained approximately $285 million from its vaults in just 12 min
The protocol’s immediate response was to freeze all deposits and withdrawals, a move that left users unable to access their funds while the attack unfolded. Within hours, most of the stolen assets were bridged to Ethereum, further complicating recovery efforts. According to decrypt.co, these rapid cross-chain transfers made it even harder for investigators and protocol operators to trace or claw back the funds.
At least 20 Solana protocols, including Gauntlet with losses of $6.4 million, were affected by the exploit.
Social Engineering: The Silent Entry Point
Unlike previous DeFi attacks that relied primarily on code vulnerabilities, this exploit centered on sophisticated social engineering. The attacker managed to gain unauthorized administrative powers over Drift’s security council by obtaining two out of five signatures required from a multisignature wallet. Between March 23 and March 30, they pre-signed malicious transactions and set up durable nonces—temporary transaction slots on Solana—days ahead of the breach. This staged approach allowed for careful planning and minimized detection risk.
It’s a reminder that human factors remain a critical weak point in decentralized finance.
See Also
Fake Assets, Real Losses for Users
Central to the heist was the creation of a fictitious token named CarbonVote. The attacker manipulated Drift’s price oracles and used this fake asset as collateral to borrow against real user deposits. By inflating CarbonVote’s value inside the protocol, they were able to drain genuine liquidity—leaving actual users with nothing backing their balances. In total, at least 20 Solana-based protocols were impacted by the fallout, including Gauntlet, which alone lost around $6.4 million.
The damage extended beyond just numbers: Drift’s total value locked plunged from roughly $550 million before the attack to under $250 million afterward. The DRIFT token price also dropped sharply from above 7 cents to about 4 cents before seeing a partial recovery in subsequent trading sessions.
Governance Centralization Draws New Scrutiny
On paper, multisignature wallets are meant to safeguard protocol governance by requiring multiple approvals for major actions. In practice, Drift’s system relied on just five individuals for its security council—a setup that proved vulnerable when two signatures were compromised or misused. Blockchain security expert David Schwed highlighted that such centralization can create single points of failure in otherwise decentralized systems.
Jiang Xuxian of PeckShield noted that privileged access via leaked or compromised admin keys was pivotal in this exploit, underscoring how even robust technical controls can be undone by lapses in key management or internal processes.
Chain Messages Turn to Ransom Threats
In the aftermath of the attack, Drift Protocol initiated onchain contact with four wallets tied to the exploit using its Ethereum address (0x0934faC), urging communication via Blockscan chat. However, an unknown party using the ENS name readnow.eth also sent messages claiming knowledge of the attackers’ identities—and demanded 1,000 ETH (over $3 million) for silence. It’s unclear whether these claims have any basis; there is no independent verification so far.
As of 48 hours after the breach, blockchain security platform Cyvers reported that none of the stolen funds had been recovered. This lack of progress has increased anxiety among affected users and raised questions about how protocols should communicate with attackers or intermediaries during ongoing investigations.
Why it matters: Practical Impact for DeFi Security
This exploit highlights several systemic weaknesses in decentralized finance: social engineering risks, governance centralization, and reliance on oracles and synthetic assets without sufficient checks. While Drift Protocol froze operations quickly after discovering the attack on April 1, more than $285 million had already vanished—demonstrating how speed alone is not always enough when planning is measured in weeks but execution takes minutes.
For end users and other protocols alike, the incident serves as a stark warning: even platforms with hundreds of millions in total value locked are not immune from targeted attacks exploiting both technical and human vulnerabilities. As investigations continue and new facts emerge about possible North Korean involvement—flagged by multiple blockchain analytics firms but still unconfirmed—the broader DeFi ecosystem faces renewed pressure to rethink how it manages admin privileges and cross-chain risks.
What to watch closely
If no funds are recovered or returned within the days following Drift Protocol's April 1 exploit—which drained approximately $285 million and affected at least 20 Solana protocols—user losses and protocol freezes will remain unresolved, while attribution of the attack to North Korean actors by Elliptic and TRM Labs remains unconfirmed.
