Drift Protocol, Solana's largest decentralized perpetual futures exchange, confirmed attackers drained approximately $285 million on April 1st, making it the biggest cryptocurrency hack of 2026. The sophisticated attack combined a fake token manipulation, compromised administrative keys, and governance vulnerabilities to bypass security protocols in what officials called a 'novel attack involving durable nonces.'
The exploit began weeks earlier with the creation of 'CarbonVote Token' (CVT), which attackers seeded with minimal liquidity and used wash trading to establish a $1 price history. Drift's oracles eventually recognized the manipulated token as legitimate collateral worth hundreds of millions. On April 1st, compromised admin keys were used to list CVT as a valid market while simultaneously removing withdrawal limits.
Multiple Solana DeFi protocols reported exposure to the Drift hack, with platforms like PiggyBank_fi, Reflect Money, and Ranger Finance either pausing operations or covering user losses with team funds. The rapid movement of stolen funds through Circle's CCTP bridge to Ethereum drew criticism for the lack of intervention during US business hours. Security audits from Trail of Bits and ClawSecure had given Drift passing grades, but the recent governance changes and CVT market introduction apparently evaded detection.
