Drift Protocol Hack: How Privileged Access Led to a $285M Loss
Contents
TL;DR
- On April 1, 2026, Solana’s Drift Protocol was drained of $285 million (over 50% of its TVL) in a highly coordinated attack likely linked to North Korean (DPRK) actors. Preliminary on-chain indicators are consistent with previously attributed DPRK operations, though formal attribution remains pending.
- According to Drift’s post-mortem, which has not yet been independently verified by a completed third-party investigation, attackers spent months building relationships with the Drift team. The attackers then used Solana’s “durable nonces” feature to get Drift Security Council members to unknowingly pre-sign transactions that eventually handed over admin control.
- Once in control, the attackers whitelisted a worthless, artificially priced fake token (CVT) as collateral. They deposited 500 million CVT and used it to withdraw $285 million in real assets like USDC, SOL, and ETH.
- Because the transactions used valid admin signatures, standard security didn’t flag them. The incident highlights the need for pre-execution evaluation tools, …
- On April 1, 2026, Solana’s Drift Protocol was drained of $285 million (over 50% of its TVL) in a highly coordinated attack likely linked to North Korean (DPRK) actors. Preliminary on-chain indicators are consistent with previously attributed DPRK operations, though formal attribution remains pending.
- According to Drift’s post-mortem, which has not yet been independently verified by a completed third-party investigation, attackers spent months building relationships with the Drift team. The attackers then used Solana’s “durable nonces” feature to get Drift Security Council members to unknowingly pre-sign transactions that eventually handed over admin control.
- Once in control, the attackers whitelisted a worthless, artificially priced fake token (CVT) as collateral. They deposited 500 million CVT and used it to withdraw $285 million in real assets like USDC, SOL, and ETH.
- Because the transactions used valid admin signatures, standard security didn’t flag them. The incident highlights the need for pre-execution evaluation tools, …