#创作者冲榜 #Gate广场四月发帖挑战

"April Fools' Day Heist" Drift loses over $280 million

On April 2, the derivatives trading platform Drift Protocol experienced a security incident, with on-chain data showing losses exceeding $285 million. The project team stated that they have identified abnormal activity and are investigating, warning users not to deposit funds into the protocol for now, and emphasizing "this is not an April Fools' joke."

1. Reconstruction of the Drift Protocol theft incident

On April 1, 2026, Eastern Time, the Solana-based decentralized derivatives protocol Drift Protocol suffered a major hacking attack, with stolen assets totaling approximately $285 million. The main stolen assets include about 41.7 million JLP tokens worth $155.6 million, along with USDC, SOL, cbBTC, wBTC, and other assets. This theft became one of the second-largest in Solana history and one of the largest DeFi attacks ever.

The attack began in the early hours of April 2. On-chain monitoring platform PeckShield issued an alert: Drift’s main treasury address started transferring large amounts to a newly created wallet, HkGz4K. The initial transfers mainly involved JLP (Jito Liquidity Provider) tokens, valued at about $155 million, followed by USDC, SOL, cbBTC, wBTC, WETH, and some meme coins. PeckShield data shows that within a short period, assets totaling $285 million were drained.

According to Yuren Monitoring, the $285 million stolen from Drift has now been converted into 129,000 ETH (approximately $278 million). Over the past few hours, the hacker has sold these assets through various methods, bridged them to the Ethereum chain, and then purchased ETH on Ethereum. Currently, the $285 million worth of assets stolen on Solana has been exchanged for 129,066 ETH on Ethereum.

2. Controversy—"Hacker Infiltration" or "Insider Theft"

This attack was a carefully planned combination of permissioned intrusion and price manipulation. The core of the attack involved the hacker gaining admin privileges, forging tokens, and manipulating oracles to instantly bypass fund limits, robbing the protocol’s treasury. The hacker obtained the admin private key, disabled the protocol’s core risk controls (withdrawal limits), then used false collateral to withdraw large amounts from the liquidity pool, and laundered the funds through cross-chain transfers.

Regarding the theft of assets from Drift Protocol, Coz, founder of SlowMist, analyzed the incident and pointed out that a week before the attack, Drift had adjusted its multi-signature mechanism to “2/5” (one old signer + four new signers) and did not set a timelock. The attacker then gained admin access, forged CVT tokens, manipulated oracles, disabled security mechanisms, and transferred high-value assets from the liquidity pool.

Additionally, there are rumors circulating that a core member of the Drift team left over a month ago, but this has not been officially confirmed. There is no evidence to support this claim; it remains speculation/rumors circulating on X (Twitter). No specific names or confirmation from mainstream media or Drift’s official channels. Neither major news outlets nor Drift’s official statements mention any team member leaving a month prior.

Nevertheless, the possibility of “insider theft” is currently the most discussed and suspicious scenario within the community, even more plausible than “external hacker intrusion.” Previously, the official adjustment of the multi-signature mechanism made the permission structure too “attackable,” which seems intentional rather than accidental. The attack methods show a deep understanding of internal logic, unlike typical external hackers, and the official response to the large asset theft has been unusually calm. The funds were quickly converted into ETH and bridged across chains, without flowing into easily frozen centralized exchanges. These series of events and operational logic have fueled community suspicions of “insider theft” by Drift’s team.

3. Subsequent impact—Market reaction is unusual

Contrasting sharply with the scale of the attack and the dramatic “escape,” the market response has been extremely calm.

After the incident was exposed, ETH only rose slightly by 1.6% to $2,139; SOL fell just 2.2% to $81.3, far from a “collapse.” The total value locked (TVL) across the Solana network only decreased slightly by 1%, remaining at a high of $25.9 billion.

Drift’s own TVL was stable around $545 million before the incident. Solana’s daily active users (DAU) remained around 850,000, and perpetual contract funding rates showed no signs of panic.

There was no bank run or contagious sell-off.

4. Future outlook

For investors, short-term volatility (SOL dropping) might present a contrarian opportunity, as mature protocols like Jito and Kamino retain their “core” users. However, in the long term, such incidents could accelerate some conservative capital to shift toward more secure ecosystems like Ethereum.

For the industry, this incident highlights the risks of “hybrid centralized” components in DeFi (such as reliance on Circle cross-chain bridges). It also demonstrates that an ecosystem’s maturity is not only measured by its growth rate but also by its resilience after major shocks. Solana has passed this stress test, but the security alarm remains ringing. $BTC $ETH $SOL