#Gate广场四月发帖挑战

Nobody in DeFi wanted to believe it when they first saw the headline on April 1, 2026. The team at Drift Protocol themselves had to clarify immediately this is not an April Fools joke. What happened to one of Solana's most important decentralized exchanges that day was real, it was devastating, and it is now being called the second largest exploit in the entire history of the Solana blockchain.

Drift Protocol is a perpetual futures and derivatives exchange built on Solana. At its peak, the protocol was holding approximately $550 million in total value locked across shared vaults containing user deposits in assets like USDC, JitoSOL, JLP tokens, wrapped Bitcoin, and Solana. On April 1, 2026, attackers drained somewhere between $280 million and $285 million from those vaults more than half of everything users had trusted the protocol to hold. TVL collapsed from $550 million to just $24 million in a matter of hours.

What makes this exploit uniquely alarming is that no smart contract code was broken. No private keys were stolen in the traditional sense. This was not a bug in Drift's on-chain program logic. What the attackers executed was something far more sophisticated and far more unsettling a carefully engineered social engineering operation targeting the humans behind the protocol's security architecture.

Drift Protocol, like many DeFi projects, used a 5-of-9 Security Council multisig system to govern admin-level decisions. The attackers spent multiple weeks preparing before a single dollar was moved. Starting around March 23, 2026, they began creating durable nonce accounts a feature native to Solana that were tied to the wallets of Drift's Security Council multisig signers. These nonce accounts allowed the attackers to pre-sign transactions that could be executed at any future moment without requiring fresh approval from the signers. The signers likely approved what appeared to be routine or innocuous transactions, not realizing they were handing over the mechanism for a future takeover.

On March 27, the attackers exploited a scheduled multisig migration event a legitimate protocol maintenance procedure as cover. They embedded their malicious infrastructure inside this routine operation without triggering alarms. Then on April 1, immediately after a legitimate test withdrawal was processed by the team, the pre-signed transactions executed automatically. Within just four Solana blockchain slots roughly two seconds the attackers had granted themselves full admin control over the entire protocol.

With admin access secured, the attack moved in three devastating steps. First, admin powers were fully assumed. Second, a fake asset called CarbonVote Token was introduced into the protocol and wash-traded aggressively to manipulate price oracles into treating it as a legitimate asset with real value. Third, withdrawal limits were removed entirely, and the attackers systematically drained approximately twenty shared vaults, taking everything they could in USDC, JitoSOL, JLP tokens, wrapped Bitcoin, and SOL. The DRIFT token itself collapsed more than 40 percent in value within hours of the exploit becoming public.

The funds did not stay on Solana. Approximately $278.5 million was bridged to Ethereum using Circle's Cross-Chain Transfer Protocol almost immediately after the drain. The attackers deliberately avoided USDT, likely to reduce the risk of a centralized freeze, and moved the funds across four Ethereum wallet addresses that have since been tracked and published by blockchain analytics firm Arkham Intelligence. Security firm Elliptic has reported potential links to North Korean state-affiliated threat actors, and portions of the funds have already moved through Tornado Cash a known obfuscation tool while some flow has been identified toward a major exchange where KYC verification may complicate further movement.

Drift Protocol responded by pausing all deposits and withdrawals immediately, freezing the protocol entirely, and removing the compromised multisig wallet from any further admin access. The team confirmed that the insurance fund was not affected and that DSOL held outside of Drift remained safe. Law enforcement has been notified and the team is working with multiple blockchain security firms on attribution and potential recovery. A full postmortem has been promised.

This exploit is not just Drift's problem. It is the most important security lesson DeFi has received in years. The attack was not a code failure it was a governance failure. Multisig systems are only as strong as the humans operating them and the processes surrounding them. Durable nonces on Solana create a pre-signing vulnerability that the broader ecosystem has not adequately addressed. Social engineering of key signers is now a proven attack vector at scale, with $285 million as the proof of concept.

Every protocol running a multisig governance structure, on Solana or anywhere else, needs to audit its nonce account exposure immediately. Every DeFi user needs to understand that code audits alone cannot protect against human-layer attacks of this sophistication. The Drift exploit is a watershed moment for decentralized security design and the $285 million it cost belongs to real users who trusted the system.

DeFi is not broken. But it is being tested harder than ever before.
#DriftProtocolHacked
#CreaterLeaderBoard