Solana DeFi Platform Drift Protocol Breaks Silence After $285 Million Exploit

TLDR

• Drift Protocol said the attack was not caused by a smart contract bug.
• The exploit involved durable nonce accounts and pre-signed transactions.
• Drift said borrow/lend, vault and trading deposits were affected.
• ZachXBT said $230M+ USDC was bridged via CCTP in 100+ transactions.
• Circle faced criticism after stolen funds moved for hours without a freeze.

Drift Protocol, a Solana-based decentralized finance platform, is facing the aftermath of a major security breach after an attacker gained unauthorized administrative control and drained funds from parts of the protocol. The platform said the incident was tied to a sophisticated attack involving durable nonce accounts and pre-signed transactions, not a flaw in Drift’s smart contracts or evidence of compromised seed phrases.

Drift said the attacker obtained sufficient approvals within its Security Council multisig structure and then executed an admin takeover within minutes. The protocol said deposits into borrow and lend products, vault deposits and funds placed for trading were affected. It added that DSOL not deposited in Drift, including assets staked to the Drift Validator, was not affected. Insurance fund assets, Drift said, are being withdrawn for safeguarding as the investigation continues.

Earlier today, a malicious actor gained unauthorized access to Drift Protocol through a novel attack involving durable nonces, resulting in a rapid takeover of Drift’s Security Council administrative powers.

This was a highly sophisticated operation that appears to have involved…

— Drift (@DriftProtocol) April 2, 2026

The case has drawn broad attention across the crypto sector, with security researchers and blockchain analysts tracking the movement of funds across wallets and blockchains. Reports circulating in the market have placed the value of the exploit at more than $280 million, making it one of the largest DeFi incidents of 2026. Drift said it is working with security firms, exchanges, bridges, and law enforcement in an effort to trace and recover assets.

Drift Says Admin Takeover Followed Pre-signed Transaction Abuse

According to Drift’s public account, the attack involved prepositioned access via durable nonce accounts and approvals obtained before the malicious execution. The protocol said four durable nonce accounts were created on March 23, including accounts associated with Security Council multisig members and attacker-controlled wallets.

Drift said the execution phase began on April 1, when it processed a legitimate test withdrawal from an insurance fund. About a minute later, the attacker allegedly used two pre-signed durable-nonce transactions to transfer administrative control and obtain protocol-level permissions. Drift said that control was then used to introduce a malicious change that enabled the outflow of funds.

The platform added that the attacker secured enough approvals under a 2-of-5 multisig arrangement. Drift said its investigation so far indicates that the incident likely involved unauthorized or misrepresented transaction approvals obtained in advance, with social engineering or transaction misrepresentation seen as possible factors.

Circle Response Questioned after USDC Moved through CCTP

The incident also brought renewed attention to Circle, the issuer of USDC, after on-chain investigator ZachXBT and other crypto users criticized the company’s handling of the stolen funds. Posts shared on X said that more than $230 million in USDC was bridged from Solana to Ethereum through Circle’s Cross-Chain Transfer Protocol, or CCTP, across more than 100 transactions after the attack began.

Circle was asleep while many millions of USDC was swapped via CCTP from Solana to Ethereum for hours from the 9 figure Drift hack during US hours.

Value was moved and nothing was done yet again.

Comes days after you froze 16+ business hot wallets incompetently which is still… pic.twitter.com/T0Xwg1HIfO

— ZachXBT (@zachxbt) April 2, 2026

Those posts claimed Circle had several hours during U.S. business hours in which it could have frozen the funds but did not do so. The criticism was amplified because Circle is a centralized stablecoin issuer with blacklist functionality tied to USDC, a point that market participants repeatedly referenced in their reactions to the transfers.

Circle had not publicly responded to the citations by users at the time those comments were posted. The lack of a public statement heightened the reaction from researchers and traders, some of whom questioned whether large cross-chain transfers linked to a widely discussed exploit should have prompted faster intervention.

Drift’s native token also came under pressure after the exploit. DRIFT was trading at $0.04301, down 38.1% over the past 24 hours, according to CoinMarketCap. The token’s market capitalization stood at $24.99 million, while 24-hour trading volume rose to $54.74 million as traders reacted to the breach and its aftermath.