Drift Hari April Mop, lebih dari 2,8 miliar dolar AS dicuri. Peretasan atau pencurian internal?

Shaw, Jinse财经

2 April 2026, platform Drift Protocol for derivative trading experienced a security incident; on-chain data shows losses of more than $285 million. The project team said it has discovered abnormal activity and is investigating, urging users not to deposit funds into the protocol for now, and emphasized, “This is not an April Fools’ joke.”

This attack involved multiple liquidity pools, including JLP Delta Neutral, SOL Super Staking, and BTC Super Staking, etc. A single transaction transferred about 41.7 million JLP tokens worth approximately $155 million; in addition, assets such as SOL, USDC, cbBTC, and wBTC were also withdrawn.

According to statistics, this incident may become one of the largest DeFi attacks in the Solana ecosystem after the Wormhole bridge exploit.

I. Latest developments in the Drift Protocol being attacked event

On April 1, 2026, Eastern Time, the Solana ecosystem decentralized derivatives protocol Drift Protocol suffered a major hacker attack. The stolen assets totaled about $285 million. The main core stolen assets include: approximately 41.7 million JLP tokens worth $155.6 million; and various assets such as USDC, SOL, cbBTC, and wBTC. This stolen incident became one of the second-largest attacks in Solana’s history and the largest in DeFi by scale.

Drift Protocol’s official account later posted on a social platform to confirm: “Drift Protocol is under attack. The deposit and withdrawal functions have been paused. We are working with multiple security organizations, cross-chain bridges, and exchanges in coordination to fully control the situation. This is not an April Fools’ joke. More information will be published through this account as soon as possible.”

The attack began in the early hours of April 2. The on-chain monitoring platform PeckShield issued an alert: the main treasury address of Drift started making large transfers to a newly created wallet, HkGz4K. The first batch mainly involved JLP (Jito Liquidity Provider) tokens, worth about $155 million; then came USDC, SOL, cbBTC, wBTC, WETH, and some meme coins. PeckShield data shows that within a short period, total outflows of assets amounted to $285 million.

据余烬监测，2.85 亿美元被盗的 Drift 资产目前已经被换成 12.9 万枚 ETH（2.78亿美元）。黑客在过去几个小时里，通过多种方式，把这些资产卖出及跨链到了 Ethereum 链上，然后在 Ethereum 链上买成ETH。现在，黑客在 Solana 上盗取的2.85 亿美元资产已经在 Ethereum 链上买成为 129,066 枚 ETH。

此外，慢雾安全团队在社交媒体发文表示，目前，被盗资金已基本集中到以下以太坊地址：0x0fe3b6908318b1f630daa5b31b49a15fc5f6b674、0xd3feed5da83d8e8c449d6cb96ff1eb06ed1cf6c7、0xaa843ed65c1f061f111b5289169731351c5e57c1，总计：105,969 ETH（约 2.26 亿美元）。

黑客地址集群：

II. Interpretation of the Drift Protocol attack event; did the project party “rob themselves”?

This attack was a carefully planned combination of a permission invasion and a price manipulation attack. The core was that after stealing administrator privileges, the hacker, by forging tokens and manipulating oracles, instantly broke through the transaction/position limits, and looted the protocol treasury. By obtaining the administrator private key, the hacker disabled the protocol’s core risk control (withdrawal limits). Then it used fake collateral to withdraw in batches from the liquidity pool, and completed money laundering by transferring assets across chains.

Regarding the incident of assets being stolen as a result of the Drift Protocol being attacked, Yu Xian, founder of SlowMist, posted an analysis stating that one week before the attack, Drift changed the multisig mechanism to “2/5” (1 old signer + 4 new signers) and did not set a timelock. The attackers then obtained administrator privileges, forged CVT tokens, manipulated oracles, disabled security mechanisms, and transferred high-value assets out of the liquidity pool.

Chaos Labs co-founder Omer Goldberg also posted on social media, saying that one week ago, Drift migrated to a new multi-signature wallet created by one of the signers from the original multi-signature. However, this signer did not add themselves to the new signer list. The attacker also initiated a proposal in the old multisig to transfer administrator privileges to this new wallet. The new multisig has 5 signers in total: only 1 person comes from the original team; the other 4 are all new addresses. The wallet is set with a 2/5 multisig threshold, and has no timelock (0 seconds delay). About 5 hours ago, this only original signer initiated a proposal via the new multisig to change the Drift administrator permissions. A new signer co-signed within one second, instantly satisfying the 2/5 threshold. Because there was no timelock, the transaction executed immediately.

Combining current on-chain evidence, team behavior, fund flow direction, and other factors, the possibility of “robbed from within” is indeed the direction with the highest discussion and the most suspicious points in the current circle, even more consistent logically than “external hacker intrusion.” Previously, the official adjusted the multisig mechanism, making the permission structure too “convenient for attacks,” not like something accidental; the attack method “knows internal logic too well,” which is completely unlike the style of an external hacker. Also, the official response to such a huge amount of assets being stolen was unusually calm; after the assets were stolen, the fund flows were very clean and clear—rapidly swapped into ETH and carried out cross-chain operations, and there was no inflow to centralized exchanges that could be easily frozen. The entire event process and operational logic. This series of events has caused community suspicions about Drift’s official “robbed from within” to grow stronger.

III. Related parties and crypto community reactions

After the Drift Protocol asset theft incident occurred, different related parties and the crypto community responded in different ways:

• In the DeFi protocol Drift asset theft incident, the JLP position loss was about $155.6 million. In response, Jupiter official stated that the platform was not affected by this incident; its lending product Jupiter Lend had no exposure to the Drift market; and that the JLP assets are “fully supported by underlying assets.” Jupiter also said this incident was a “difficult day” for the Solana DeFi ecosystem and expressed concern to the Drift team and affected users.

• Unitas Protocol, the yield generation protocol tweeted that it was not affected by the Drift Protocol attack incident. Unitas has no exposure on Drift. All collateral is safe, and all strategies (including the JLP Delta Neutral strategy) are running normally. User funds are safe. Collateral can be verified in real time through the Accountable and Primus Labs reserves proof dashboards.

• Solana liquidity protocol Meteora tweeted that all funds on Meteora are safe; all platform functions and treasuries have not interacted with the Drift protocol.

• Anna, founder of stablecoin infrastructure Perena, tweeted that its Perena USD*, USD*-J, and USD*-P were not affected by the Drift attack incident. However, the JLP treasury managed by Neutral Trade, a quantitative strategy sharing platform in the Solana ecosystem, was affected because it runs on Drift Protocol. The team is maintaining communication with partners and will continue to update progress.

• Pengguna X @hzkj99: Perjanjian aset di ekosistem SOL, Drift Protocol, dicuri, dengan kerugian mencapai ratusan juta. Sepanjang melibatkan dana, keamanan adalah prioritas utama kapan pun, terutama di pasar bear yang pasti akan ada protokol baru yang dicuri; dunia ini sungguh panggung rombongan besar-besaran. Beberapa protokol bahkan bisa dicuri berkali-kali, dan Drift juga bukan yang terakhir dicuri.

• Pengguna X @lanhubiji: Drift Protocol mengalami eksploitasi kebocoran besar, kerugian sekitar $270 juta, termasuk salah satu insiden serangan DeFi terbesar hingga 2026. Ada postingan yang dengan serius mengatakan, “Solana Foundation sedang berkoordinasi untuk melakukan rollback bersama server di ruang bawah tanah Toly (co-founder).” Walaupun ini cuma lelucon, cara ngomongnya agak berlebihan.

• Pengguna X @EnHeng456: Di pasar bear benar-benar harus ekstra hati-hati menyimpan uang. Sekarang lingkungannya makin tidak aman; di mana-mana ada kabar pencurian. Beberapa protokol lama juga sengaja bermasalah di pasar bear, dan kamu benar-benar sulit membedakan apakah itu serangan hacker atau “robbed from within.” Saya belakangan ini lebih konservatif: saya hanya menaruh secara jujur di USD1, tidak berani menyimpan sembarangan lagi. Dalam kondisi seperti ini, semakin banyak bergerak semakin mudah ada masalah. Kadang yang tidak bergerak justru pilihan terbaik; Drift dicuri dua miliar lalu masuk kantong sang jenderal.

IV. Dampak dari insiden Drift Protocol yang dicuri

Insiden Drift Protocol senilai $285 juta yang dicuri adalah serangan DeFi terbesar kedua dalam sejarah ekosistem Solana. Dampaknya jauh melampaui protokol itu sendiri, menghantam kepercayaan ekosistem Solana secara berat, dan mempercepat perubahan keamanan DeFi.

Serangan ini mengekspos cacat mematikan pada pengelolaan izin multisig dan keamanan oracle pada proyek DeFi. “Izin adalah brankas”; seandainya kunci administrator jatuh dan tidak ada mekanisme rem darurat seperti timelock, maka logika kode yang kompleks pun bisa langsung menjadi tidak berfungsi. Bagi Drift Protocol, kecuali jika dana besar berhasil dikembalikan atau ada “penyelamat besar” yang mengambil alih, maka akan menuju likuidasi, kebangkrutan, dan tuntutan hukum. Bagi Solana dan sistem ekosistemnya, reputasi ekosistemnya hancur; arus keluar dana dalam jangka pendek dan pertumbuhan melambat; sementara dalam jangka panjang, akan memaksa peningkatan keamanan. Dan bagi seluruh industri DeFi, ini bisa dibilang menjadi batu pembatas industri: “keamanan izin lebih penting daripada keamanan kode” menjadi hukum yang tak tergoyahkan; biaya kepercayaan meningkat tajam; DeFi akan memasuki tahap baru yang lebih patuh, lebih transparan, dan lebih terpusat (tata kelola keamanan).