On April 1, 2026, attackers drained approximately USD 285 million in user assets from Drift Protocol, the largest decentralized perpetual futures exchange on Solana. TRM's initial investigation suggests the hack was likely perpetrated by North Korean hackers, with security firms Elliptic and TRM Labs attributing the attack to DPRK-linked threat actors. The critical vulnerability was not a smart contract bug but a combination of social engineering multisig signers into pre-signing hidden authorizations and a zero-timelock Security Council migration that eliminated the protocol's last line of defense. The attacker manufactured an entirely fictitious asset — CarbonVote Token — with a few thousand dollars in seeded liquidity and wash trading, and Drift's oracles treated it as legitimate collateral worth hundreds of millions of dollars.
The contagion spread to more than 20 protocols. Prime Numbers Fi reported losses in the millions. Carrot Protocol paused mint and redeem functions after 50% of its TVL was affected. Pyra Protocol disabled withdrawals entirely, leaving all user funds inaccessible. At USD 285 million, the Drift exploit is the largest DeFi hack of 2026 and the second-largest in Solana's history, behind only the USD 326 million Wormhole bridge hack in 2022.
