Skip to content
Tech News
← Back to articles

Solana Drift Protocol drained of $285M via fake token and governance hijack

2026-04-03 | original
read original get Solana Token Security Kit → more articles
Why This Matters

The Solana-based Drift Protocol hack highlights the evolving sophistication of DeFi exploits, where attackers leveraged governance vulnerabilities and social engineering to drain $285 million. This incident underscores the importance of robust security measures and vigilant governance protocols to protect user assets in decentralized finance. For consumers and the industry, it serves as a stark reminder of the need for enhanced security practices in DeFi platforms to prevent similar attacks.

Key Takeaways

Attackers drained $285 million from Drift Protocol, Solana's largest perpetual futures exchange, on April 1, 2026. TRM Labs estimates the drain took roughly 12 minutes. The exploit targeted governance, not smart contract code.

TRM Labs assessed the hack was "likely perpetrated by North Korean hackers" based on on-chain staging patterns. Elliptic independently assessed the behaviour as consistent with previous DPRK-backed operations.

A malicious actor gained unauthorized access to Drift Protocol through a novel attack involving durable nonces, resulting in a rapid takeover of Drift's Security Council administrative powers. — Drift Protocol, via X

The preparation began on March 11 with a 10 ETH withdrawal from Tornado Cash. The funds were used to deploy CarbonVote Token (CVT), a completely fictitious asset with approximately 750 million units minted. The attacker seeded a small liquidity pool on Raydium with a few thousand dollars. Wash trading built an artificial price history near $1.

Drift's oracles picked up the manufactured price. CVT began to look like legitimate collateral.

Between March 23 and March 30, the attacker created multiple "durable nonce" accounts. Durable nonces are a legitimate Solana feature that allows transactions to be pre-signed and executed later without expiring. The attacker used social engineering to induce Drift Security Council multisig signers into pre-signing transactions that appeared routine but carried hidden authorisations.

Drift migrated its Security Council on March 27 to a new 2-of-5 threshold with zero timelock. That eliminated the delay that would have allowed detection before admin actions took effect.

April 1 was execution day. The attacker listed CVT as a valid market on Drift, raised withdrawal limits to extreme levels, and drained funds from nearly 20 vaults.

This is not an April Fools joke. — Drift Protocol, via X

Stolen assets were converted to USDC and SOL. The attacker bridged them from Solana to Ethereum using Circle's Cross-Chain Transfer Protocol (CCTP), converted to ETH, and accumulated approximately 129,066 ETH. SOL deposits went into HyperLiquid and Binance.

... continue reading

Explore topics: solana drift protocol raydium tornado cash north korea
Related:
Drift loses $280 million as hackers seize Security Council powers
Drift loses $280 million North Korean hackers seize Security Council powers
North Korean hackers blamed for hijacking popular Axios open-source project to spread malware
North Korean fake IT army of 100,000 nets Kim Jong-Un a cool $500 million a year — NK-aligned workers infiltrated in IT companies worldwide, feeding the nation's revenue generation
North Korea deployed 100,000 fake IT workers to infiltrate Western companies, making $500M a year for Kim Jong Un

© 2026 GoKawiil

About | Editorial Policy | Contact