What Happened: The Timeline of the Attack
The exploit unfolded in under an hour on April 1. Attackers targeted Drift’s core vaults — including the JLP Delta Neutral, SOL Super Staking, and BTC Super Staking vaults. Using pre-signed durable nonces (a built-in Solana feature designed for transaction reliability), the attacker removed withdrawal limits and executed dozens of large transfers.Funds were swept from more than 15 different token accounts in a single coordinated sweep. The operation was so efficient that the protocol’s Total Value Locked (TVL) dropped by over 50% within minutes.
Drift Protocol’s team quickly confirmed an “active attack” on social media, suspended all deposits and withdrawals, and began coordinating with security firms and exchanges.Assets Drained: USDC, USDT, WETH, JUP, mSOL, INF and MoreAccording to on-chain analysts (Arkham Intelligence, PeckShield, and independent researchers), the stolen assets included a broad mix of collateral:
- JLP tokens — ~$155 million (largest single position)
- USDC — ~$60 million
- USDT — ~$5.65 million
- WETH — ~$4.7 million
- WBTC and cbBTC — combined ~$15–16 million
- mSOL, BSOL, JitoSOL, INF — liquid staking tokens worth several million
- JUP — ~$430K
- Smaller amounts of FARTCOIN, SYRUP USDC, dSOL, and other supported assets
The attacker rapidly swapped most tokens into USDC on Solana DEX aggregators, then bridged over $230 million in USDC to Ethereum using Circle’s CCTP (Cross-Chain Transfer Protocol).
How the Exploit Worked: Not Code, But Governance
Security experts emphasize this was not a traditional smart-contract vulnerability. Key findings:
- The attacker gained control of the Security Council (a 2/5 multisig) — possibly through social engineering or key compromise weeks in advance.
- They used durable nonces to submit pre-authorized admin transactions.
- Withdrawal limits were removed, allowing the vaults to be fully drained.
This “human-layer” failure highlights a growing trend in 2026: even well-audited protocols remain vulnerable when administrative keys or multisigs are compromised. Some analysts, including Elliptic, have flagged patterns consistent with DPRK-linked (Lazarus Group)operations, though this remains unconfirmed.
Drift’s Response and Current Status
Drift Protocol acted swiftly:
- Paused the entire protocol.
- Contacted major exchanges and security partners.
- On April 3, the team began sending on-chain messages to the four Ethereum wallets holding the stolen funds, stating “We are ready to speak” and inviting contact via Blockscan chat.
As of now, no funds have been recovered, and the DRIFT token has plunged 30–37% amid the fallout.Circle (issuer of USDC) has faced sharp criticism from on-chain detective ZachXBT for the delayed response to freeze requests.
What This Means for Solana DeFi and the Industry
This exploit is a painful reminder that even top-tier DeFi protocols on high-performance chains like Solana are not immune to sophisticated attacks. While the code held, the governance and key-management layer failed catastrophically.
At Quickex.io, we continue to stress the importance of:
- Revoking approvals regularly
- Using hardware wallets for large positions
- Monitoring protocol security updates
The incident also puts renewed focus on multisig best practices, durable nonce risks, and the need for faster issuer intervention on bridged stablecoins.The full investigation is ongoing, and Drift has promised further updates once third-party attributions are complete. In the meantime, users are advised to stay vigilant, avoid interacting with any suspicious links, and monitor official channels.This remains a developing story. We will provide updates as new information emerges.