$250M+ Stolen From Drift - What We Know

Back

Apr 2, 2026

$250M+ Stolen From Drift - What We Know

ceteris

Yesterday Drift, a perpetual exchange protocol on Solana, was exploited for over $250M. The method of the attack was not a smart contract exploit but rather a social engineering/phishing like the big Bybit one. A short tl;dr is below.

This really sucks to see. Seems like admin key compromise -> fake collateral asset listing -> inflate collateral weighting on multi-collat engine (similar to mango hack) -> override withdraw limits -> drain all spot pools.

Hope they manage to recover some of the funds. Godspeed https://t.co/cSYeSYQ5dV

— Tristan (@Tristan0x)
April 2, 2026

A more detailed breakdown can be here, but essentially this was a theft of admin privileged to create a fake token and borrow the entirety of Drift’s assets against it.

1/ Drift’s admin key was compromised.

$213M+ drained from @solana‘s largest DEX in under 10 seconds.

Unfortunately, we’ve seen similar patterns before:

– fake collateral market
– a manipulated oracle
– disabled circuit breakers

Let’s break it down 👇

written w/ Chaos AI pic.twitter.com/kErUWpQu3N

— Omer Goldberg (@omeragoldberg)
April 1, 2026

The full technical explanation fro Drift here:Earlier today, a malicious actor gained unauthorized access to Drift Protocol through a novel attack involving durable nonces, resulting in a rapid takeover of Drift’s Security Council administrative powers.

This was a highly sophisticated operation that appears to have involved…

— Drift (@DriftProtocol)
April 2, 2026

This has some implications across other DeFi protocols as well. Ranger Finance, Pyra, and P0 have all been impacted as well as some others. For P0 specifically, they are a Prime broker on Solana and allow users to use collateral from various venues, with Drift being one of them. They have paused the protocol now while they figure out what their bad debt exposure is and what to do with it/how to socialize.

Two principles I’m working by as we assess the Drift exploit:

1) Drift lenders on P0 chose Drift specifically, we will ensure these lenders are proportionally socialized (as opposed to other venues like Kamino or Project 0 native market)

2) Keeping P0 paused while we clear… https://t.co/ReXoCAQXwA

— MacBrennan | P0 (@macbrennan_cc)
April 1, 2026

The comments to this tweet from Mac Brennan highlight that a lot of users are unaware of the risk they are taking when using DeFi. Many are stating that they had no exposure to Drift, so how could they be impacted? Well if the Drift collateral is essentially $0, that’s all bad debt on P0’s books. They will start to clear it by liquidating other collateral from Drift borrowers but if there’s not enough then the protocol will have bad debt and will have to cover the shortfall another way (which way they do this is tbd).

P0 update: Quick morning update re: un-pause timeline & goals:

Goal 1: Complete all Drift socializations today. Latest tomorrow.

– We have code & processes in place for this, but the Drift event is still unique. So, we’re going thru every single user who was affected to ensure the… https://t.co/JlTJafDoC2

— MacBrennan | P0 (@macbrennan_cc)
April 2, 2026

Elsewhere in Solana DeFi it seems like Kamino, Jupiter and other large protocols were largely unaffected.

Kamino can confirm that it has zero exposure to the Drift protocol compromise. Kamino users, across all products, including Vaults, Markets, and Multiply, are wholly unaffected.

— Kamino (@kamino)
April 1, 2026

Jupiter is not affected by the Drift situation.

Jupiter Lend has no exposure to Drift’s markets and JLP is fully backed by the underlying assets.

That said, this a difficult day for Solana DeFi and our heart goes out to the Drift team and everyone affected.

— Jupiter (@JupiterExchange)
April 1, 2026

One of the more disappointing things is Circle’s involvement here. $230M of USDC went through Circle’s CCTP bridge without circle doing anything. It has been hypothesized that this is North Korea (and the nature/sophistication of the attack makes it likely). If so, that seems unacceptable to me that they allowed it and did not freeze USDC. This is not the first time Circle has handled exploits poorly.

so (likely) north korea sent $230m through circle’s cctp without them doing anything? cool cool. https://t.co/aUiIaDpUJH

— ceteris (@ceterispar1bus)
April 2, 2026

More fallout from this will come to light over the next few days. Did any DATs have exposure? Forward says no, but others could have.

Forward Industries is aware of the ongoing unusual activity on Drift Protocol and has confirmed no exposure or impact to our treasury.

— Forward Ind. | NASDAQ-$FWDI (@FWDind)
April 1, 2026

Overall it’s a sad day for DeFi and every one of these exploits just sets us back further. The value prop of earn 1% a year and then lose all your money isn’t great. Capital, especially institutional capital, is becoming increasingly stringent on how they underwrite DeFi protocols and this will just make those requirements even stricter. Any protocol with admin keys shares this risk.

people need to understand that centralization is a liability and risk

yes, there is a risk of a code hack, but which is worse?

(1) someone hacks you personally, hacks all your devices, kidnaps you, etc., to get at admin keys that you have that can change an entire system?…

— _gabrielShapir0 (@lex_node)
April 1, 2026

Not much more to say. Obviously quite a bad event for Solana but will impact DeFi sentiment everywhere.

the lesson to learn from the drift hack is to design systems that are resilient to compromise. if one maliciously signed transaction gives an attacker full control over nearly all of the assets in your system, you probably have work to do

— trent.sol (@trentdotsol)
April 2, 2026