Drift Protocol on Solana Hacked for $280M in Sophisticated Durable Nonce Attack

Drift Protocol Loses $280M in Major Exploit

On April 1, 2026, Drift Protocol — a prominent DeFi platform on Solana — suffered a devastating hack that drained at least $280 million in user funds. The attacker employed an elaborate scheme involving durable nonces and social engineering to compromise the protocol's Security Council multisig.

«We are observing unusual activity on the protocol. We are currently investigating. Please do not deposit funds into the protocol while we investigate. This is not an April Fools joke. Proceed with caution until further notice.» — Drift (@DriftProtocol), original post

The Drift team urged users to stop depositing funds and stressed that the incident was not an April Fools' Day prank.

Why This Matters

The Drift exploit ranks among the largest DeFi hacks ever recorded. It exposed critical vulnerabilities in multisig governance mechanisms even within established protocols. Statistics suggest that 80% of DeFi platforms fail to recover from major exploits of this magnitude. The incident also highlighted a systemic concern: centralized stablecoin issuers don't always act swiftly to freeze stolen assets, raising questions about the effectiveness of the industry's safety nets.

How the Attack Unfolded

According to Drift's developers, the hacker had been planning the operation for days. On March 23, the attacker created four wallets utilizing durable nonce mechanisms. Two of these wallets were linked to members of Drift's Security Council, while the other two remained under the hacker's direct control.

«Earlier today, a malicious actor gained unauthorized access to Drift Protocol through a novel attack involving durable nonces, resulting in a rapid takeover of Drift's Security Council administrative powers. This was a highly sophisticated operation that appears to have involved…» — Drift (@DriftProtocol), original post

At least two of the five multisig signatories approved transactions from these wallets. The development team believes the attacker used sophisticated social engineering techniques to secure these approvals.

When Drift performed a scheduled rotation of its Security Council days later, the hacker adapted by creating a new wallet for the updated multisig configuration on March 30. The attack itself came on April 1: shortly after Drift's team executed a legitimate test withdrawal from the insurance fund, the attacker triggered two pre-signed transactions. The first created and approved a malicious authority transfer, and the second executed it.

Stolen Assets Breakdown

The exploit affected all deposit types — lending, trading, and vault positions. DSOL tokens outside the Drift ecosystem and the Insurance Fund itself remained untouched.

On-chain analyst Vladimir S. published a detailed breakdown of the stolen assets:

«Assets stolen in dollars: $5.3M USDS, $60.4M USDC, $5.65M USDT, $430K JUP, $540K USDY, $590K ZBTC, $680K EURC, $1M BSOL, $2.5M INF, $2M MSOL, $3.3M SYRUPUSDC, $4.1M FARTCOIN, $4.4M WBTC, $3.6M JITOSOL, $4.7M WETH, $4.5M DSOL, $11.3M CBBTC, $155.6M JPL» — Vladimir S. | Officer's Notes (@officer_secret), original post

The stolen haul included wrapped Bitcoin variants, Jito tokens, the memecoin Fartcoin, stablecoins pegged to the US dollar, euro, and Japanese yen, along with various other altcoins. The hacker subsequently distributed the funds across multiple wallets.

Market Fallout

The protocol's native token DRIFT crashed nearly 37%, dropping from $0.07 to $0.04. Market capitalization was essentially cut in half — from $41 million to $25 million.

Drift's TVL stands at roughly $245 million. Community members are deeply skeptical about the protocol's ability to survive.

«I think Drift just… dies here? ByBit was able to get a billion dollar loan immediately after their hack because their yearly revenue numbers justified it. Drift doesn't make nearly enough money for a company/bank to comfortably underwrite a loan to fill the hole here. rip :/» — Eddie (@DancingEddie_), original post

Drift has frozen core protocol functions, updated its multisig, and removed the compromised wallet. The team is working with cybersecurity firms, cross-chain bridges, exchanges, and law enforcement to trace and block the stolen funds.

Circle Under Fire

The response — or lack thereof — from Circle, the company behind the USDC stablecoin, drew sharp criticism from multiple industry figures.

«Circle not freezing the USDC is hilarious because we know it's centralized but they're like nah, we'll let the money freely flow to North Korea. I like USDC since it's a programmable stablecoin for all of DeFi and enables innovation. But we can freeze the money flowing to NK» — Tommy (@Shaughnessy119), original post

Delphi Digital co-founder Tommy Shaughnessy called the situation absurd, noting that everyone is aware USDC is centralized yet Circle apparently chose not to freeze the stolen funds.

On-chain investigator ZachXBT pointed out that the hacker moved hundreds of millions of dollars from Solana to Ethereum via CCTP during US business hours, and Circle did nothing to intervene. As of publication, the company still had not taken any action. Notably, ZachXBT had already criticized Circle just days earlier — for mistakenly freezing 16 wallets in late March.