Drift Drain explained for dummies:

What is Drift?
think of Drift like a crypto bank/trading app
people deposit money there (like ETH, SOL, etc.)
the app then lets you:
• Trade
• Borrow
• Withdraw money
based on how much you deposited.
Important idea: “collateral", this just means:
you put money in, and the app trusts you based on that amount. For example:
If you deposit $100, the app might let you use/withdraw/trade up to that value
Now the attack:
1) the attacker created a token called CVT, with 750 MILLION supply, and they only put $500 liquidity on it.
They setted the price of each token at = $1 so it looked like they had hundreds of millions, but it was basically all fake.
2) They got “admin access” (admin key got compromised)
Admin key is like the master password of the whole system, whoever has it can:
• Add new assets
• Change rules
• Remove limits
And the attacker somehow got this key.
3) They tricked the system:
Using that admin power, they told Drift: "this fake token is valid, removed safety limits" (set them to 500 trillion, basically infinite)
Now the system trusted the fake token.
4) They deposited fake money:
they put in 785 million CVT and the system thought:
“ok this user has $785M”, even though it was all fake. (LP only had 500$ and price was setted at 1$ by them)
5) They withdrew real money:
Now the system said: “you have a lot of money, you can withdraw a lot” and so the attacker started taking REAL assets:
•66.4M USDC (digital dollars)
•42.7M JLP
•23.3M MOODENG
•5.6M USDT
•5.2M USDS
•2.6M JUP
•583K RAY
•477K WETH
and more, all in about 12 minutes.