Inside the $285 Million Drift Protocol Hack: Timeline, Tactics, and Lessons

Event recap – a 12‑minute disaster On April 1 2026, attackers emptied Drift Protocol’s treasury of $285 million in just ten seconds, executing 31 withdrawal transactions after a 20‑day preparation period.

Attack timeline

Mid‑March: Creation of a fake asset, CarbonVote Token (CVT), and low‑volume trades on Jupiter to seed price history.

March 31: Social‑engineering attack obtains a 2‑of‑5 multisig signature.

T‑25 s: CVT added to the collateral whitelist.

T‑20 s: Safety circuit breaker disabled.

T‑2 s: 500 million CVT deposited, system values it at >$100 million.

T = 0: 31 withdrawals executed in 10 seconds, draining the vault.

Technical methods

Fake asset warm‑up : Small liquidity injections created a price history that fooled Drift’s price oracle into assigning real market value to CVT.

Multisig vulnerability : Drift used a 2‑of‑5 scheme, allowing the attacker, after a targeted social‑engineering campaign, to change protocol parameters with only two signatures.

Durable Nonce exploitation : The attacker pre‑signed multiple transactions using Solana’s Durable Nonce, enabling rapid, ordered execution without network congestion.

Attribution

Security firms TRM Labs, Elliptic, and PeckShield point to North Korea’s Lazarus Group, citing deployment times matching Pyongyang work hours, cross‑chain bridge usage patterns identical to previous Lazarus attacks, and a social‑engineering plus complex‑tech combo.

Impact and aftermath

Direct loss: $285 million (confirmed by Elliptic and TRM Labs).

TVL dropped from $550 million to under $250 million (‑50%).

DRIFT token price fell >40%.

Drift halted all deposits, withdrawals, and trading; a full security audit is underway.

Compensation remains uncertain; unlike the Wormhole breach, no major backer has pledged full coverage.

Solana ecosystem saw price volatility in related derivatives and increased regulatory scrutiny of DeFi protocols.

Security takeaways

Governance balance : The 2‑of‑5 multisig, intended for rapid response, proved too permissive; a longer time‑lock (24‑48 h) or a stricter 5‑of‑7 scheme is recommended.

Oracle risk management : Relying solely on price feeds without considering liquidity depth and slippage is unsafe; dynamic asset evaluation that incorporates depth metrics should be introduced.

Human factor : Even flawless code can be compromised by social engineering; hardware security modules (HSM) for key storage and transparent signing processes are essential.

Solana‑specific defenses : Monitoring for large batches of pre‑signed Durable Nonce transactions can provide early warnings and allow pre‑emptive blocking.

Overall, the Drift hack underscores that DeFi security must integrate code audits, robust governance, oracle safeguards, and zero‑trust operational practices.