Drift Protocol Suffers $200–$285 Million Exploit in Second-Largest Solana Attack
On April 1, 2026, Drift Protocol a decentralized derivatives trading platform on Solana fell victim to a major security breach, resulting in losses estimated between $200 and $285 million. The attack drained over half of the platform’s total value locked (TVL), making it the second-largest exploit on the Solana blockchain to date.
The breach began around 1:30 a.m. Eastern Time, with onchain analysts detecting unauthorized fund transfers from Drift’s vaults. The attacker exploited compromised security council access to manipulate durable nonces critical transaction security parameters allowing them to siphon assets from multiple vaults, including JLP Delta Neutral, Solana Super Staking, and Bitcoin Super Staking. Stolen funds included 980,000 SOL (worth ~$82 million at the time), 41.7 million JLP tokens (~$155 million), USDC, wrapped Bitcoin, and other tokens. The attacker funneled assets through a flagged wallet (HkGz4KmoZ7Zmk7HN6ndJ31UJ1qZ2qgwQxgVqQwovpZES), converting portions to stablecoins via Jupiter DEX and bridging some to Ethereum.
The market reacted swiftly. Drift’s native token (DRIFT) plummeted from $0.68 to $0.05 within 24 hours a 92% drop while Solana’s price dipped to a local low of $83.82 before partial recovery. Drift’s market capitalization fell to $30.6 million, with over 50% of its TVL wiped out.
Drift Protocol suspended deposits and withdrawals immediately, issuing a public warning on X: "We are observing unusual activity on the protocol. We are currently investigating. Please do not deposit funds into the protocol while we investigate." The team ruled out an April Fools’ prank and collaborated with security firms, exchanges, and bridges to contain the breach. The exact exploit vector remains unconfirmed, with possibilities including smart contract vulnerabilities, compromised private keys, or oracle manipulation.
Blockchain analysis revealed the attacker’s wallet was created eight days prior but remained dormant until 18 hours before the breach, suggesting premeditation. By 5:45 p.m. UTC, the attacker had converted stolen assets into ~19,913 ETH (~$42 million). Circle, the issuer of USDC, was alerted, indicating stablecoins were a significant portion of the haul. Onchain data showed over $250 million moving from Drift to an interim wallet before being dispersed across multiple addresses.
The incident underscores critical vulnerabilities in DeFi security architecture, particularly the risks of centralized control over protocol functions. The attacker’s ability to manipulate durable nonces via compromised admin access highlights a systemic weakness in how some decentralized platforms delegate privileges. The eight-day reconnaissance period and rapid asset conversion to stablecoins and cross-chain bridges reflect increasingly sophisticated tactics in cryptocurrency heists, designed to evade detection and recovery efforts.
Source: https://mlq.ai/news/solana-defi-platform-drift-loses-over-280-million-in-security-breach/
Solana cybersecurity rating report: https://www.rankiteo.com/company/solana
"id": "SOL1775142110",
"linkid": "solana",
"type": "Cyber Attack",
"date": "4/2026",
"severity": "60",
"impact": "2",
"explanation": "Attack limited on finance or reputation"{'affected_entities': [{'industry': 'Cryptocurrency/Blockchain',
'name': 'Drift Protocol',
'type': 'Decentralized Finance (DeFi) Platform'}],
'attack_vector': 'Compromised security council access, manipulation of '
'durable nonces',
'customer_advisories': 'Public warning issued to avoid depositing funds into '
'the protocol during investigation.',
'data_breach': {'data_exfiltration': 'Yes, assets funneled through flagged '
'wallet and converted to stablecoins/ETH',
'personally_identifiable_information': 'None',
'sensitivity_of_data': 'High (financial assets)',
'type_of_data_compromised': 'Cryptocurrency assets (SOL, JLP '
'tokens, USDC, wBTC, etc.)'},
'date_detected': '2026-04-01T01:30:00-04:00',
'date_publicly_disclosed': '2026-04-01',
'description': 'Drift Protocol, a decentralized derivatives trading platform '
'on Solana, fell victim to a major security breach, resulting '
'in losses estimated between $200 and $285 million. The attack '
'drained over half of the platform’s total value locked (TVL), '
'making it the second-largest exploit on the Solana blockchain '
'to date. The attacker exploited compromised security council '
'access to manipulate durable nonces, allowing them to siphon '
'assets from multiple vaults.',
'impact': {'brand_reputation_impact': 'Significant reputational damage, '
'market capitalization fell to $30.6 '
'million',
'conversion_rate_impact': 'DRIFT token dropped from $0.68 to $0.05 '
'(92% drop)',
'downtime': 'Deposits and withdrawals suspended',
'financial_loss': '$200–$285 million',
'operational_impact': 'Protocol operations halted, TVL reduced by '
'over 50%',
'systems_affected': 'Drift Protocol vaults (JLP Delta Neutral, '
'Solana Super Staking, Bitcoin Super Staking)'},
'initial_access_broker': {'entry_point': 'Compromised security council access',
'high_value_targets': 'Drift Protocol vaults (JLP '
'Delta Neutral, Solana Super '
'Staking, Bitcoin Super '
'Staking)',
'reconnaissance_period': '8 days (wallet created 8 '
'days prior, dormant until '
'18 hours before breach)'},
'investigation_status': 'Ongoing',
'lessons_learned': 'Critical vulnerabilities in DeFi security architecture, '
'particularly risks of centralized control over protocol '
'functions. Need for improved security around admin access '
'and nonce management.',
'motivation': 'Financial gain',
'post_incident_analysis': {'corrective_actions': 'Collaboration with security '
'firms, exchanges, and '
'bridges to track stolen '
'funds; suspension of '
'deposits and withdrawals',
'root_causes': 'Compromised security council '
'access, manipulation of durable '
'nonces, potential smart contract '
'vulnerabilities or oracle '
'manipulation'},
'recommendations': 'Enhance security of admin privileges, implement stricter '
'access controls, improve monitoring for suspicious '
'activity, and conduct thorough audits of smart contracts '
'and oracle systems.',
'references': [{'date_accessed': '2026-04-01',
'source': 'Drift Protocol X (Twitter) Announcement'},
{'date_accessed': '2026-04-01', 'source': 'Onchain Analysis'}],
'response': {'communication_strategy': 'Public warning issued on X (Twitter)',
'containment_measures': 'Suspended deposits and withdrawals, '
'collaborated with exchanges and bridges '
'to track stolen funds',
'incident_response_plan_activated': 'Yes',
'third_party_assistance': 'Security firms, exchanges, bridges'},
'stakeholder_advisories': 'Public warning issued to avoid depositing funds '
'into the protocol during investigation.',
'title': 'Drift Protocol Suffers $200–$285 Million Exploit in Second-Largest '
'Solana Attack',
'type': 'Exploit',
'vulnerability_exploited': 'Durable nonces manipulation, potential smart '
'contract vulnerabilities, compromised private '
'keys, or oracle manipulation'}