Drift Protocol lost $285 million within minutes on April 1, 2026, in what became the largest DeFi exploit of the year. The attack unfolded in three coordinated phases starting in the early hours, with the attacker draining approximately $285 million primarily in USDC, JLP, and other tokens held in Drift's vaults through dozens of separate withdrawal transactions. More than half of the protocol's total value locked was eliminated before the team could respond.
The exploit combined three attack vectors: fake token creation, oracle manipulation, and a compromised admin key, with each step enabling the next. This was not a traditional code exploit but primarily a governance failure that targeted oracle trust, admin key security, and insufficient delay mechanisms. The attack pattern is consistent with tactics associated with suspected DPRK state-sponsored threat actors according to security firm Elliptic.
As of publication in April 2026, Drift Protocol has paused operations and is conducting an investigation, with funds remaining unrecovered. The incident highlights that hardware wallets protect personal keys but cannot protect assets deposited into third-party protocol smart contracts. Users are advised to minimize idle funds in DeFi protocols and maintain core holdings in self-custody when possible.
