The exchange’s native token DRIFT has fallen more than 37% since the incident, raising questions about whether the platform can recover.
Drift, one of the largest decentralized exchanges on Solana, said in a Thursday post on X, April 2, that a “malicious actor gained unauthorized access” to its admin system and drained about $280 million after what looks like a weeks-long setup.
The team said the incident wasn’t caused by a bug in its smart contracts or stolen seed phrases, but by unauthorized or misleading transaction approvals obtained earlier:
“Based on our investigation to date: – This was not the result of a bug in Drift’s programs or smart contracts – There is no evidence of compromised seed phrases.”
How Drift Was Hacked
From what the team described, the attacker didn’t break the code. Instead, they worked around it. Multiple signers in Drift’s Security Council appear to have approved transactions in advance, likely without realizing how those approvals would later be used.
Those approvals were then paired with a Solana feature that lets transactions be signed ahead of time and executed later. Once everything was lined up, the attacker moved fast.
Drift said the hacker secured enough approvals under its 2-of-5 multisig setup and executed an admin transfer within minutes, effectively taking control of the protocol. Using that access, the attacker reportedly listed a fake token called CarbonVote Token (CVT) as a new market, inflated its price via a tiny liquidity pool, and used it as collateral.
Even though the pool had only around $700 in real liquidity, the attacker still was able to deposit CVT as “collateral” with an artificial value of roughly $785 million. They then removed withdrawal limits and drained assets like USDC, USDT and other tokens across multiple vaults, essentially turning a few hundred dollars of real liquidity into a massive exploit.
It’s still unclear how the attacker managed to get the multisig approvals in the first place.
The team acknowledged that “all deposits” into lending, vaults, and trading were affected. Assets not deposited into Drift, including DSOL held outside the platform and the insurance fund, weren’t impacted, the team said.
Where Did Funds From the Drift Hack Go
Blockchain analytics firm Arkham Intelligence said in a post on X after the incident that the attacker moved the stolen funds to Ethereum, spreading them across several wallets.
A separate blockchain tracking account, MLM, specified in an X post that the largest share of the stolen assets was in USDC (over $60 million), followed by roughly $5.6 million in USDT, $4.4 million in Wrapped Bitcoin, $4.7 million in Wrapped Ethereum, along with a range of other altcoins.
The incident has also drawn criticism toward Circle, the company behind USDC. Blockchain sleuth ZachXBT noted in multiple posts on X that a large portion of USDC was moved using Circle’s cross-chain system and argued the company had several hours to freeze the funds, but didn’t. Commenting on the incident, ZachXBT wrote:
“Circle chooses to not engage with the private sector and instead sucks off govt regulators via lobbying by using buzz words like compliance or regulated without actually implementing solutions (who believes them unbeknownst of the problem).”
What’s Next for Drift
Amid the fallout, the price of Drift’s native token DRIFT, which is used for governance and utility, dropped more than 40%, hitting an all-time low of $0.038 before recovering slightly to around $0.042, according to data from CoinGecko.
The size of the loss is pretty significant given Drift’s revenue. Although Drift is in the top 20 protocols on Solana by total value locked, data from DefiLlama shows the platform generates only about $6-8 million in annualized revenue, which is relatively small compared to the amount stolen.
Drift said it has disabled key protocol functions, updated its multi-sig to remove the compromised wallet, and is now working with exchanges, bridges, and law enforcement in an effort to trace the stolen assets.
