Drift Protocol Hit by $280M+ Exploit, Marking Solana's Biggest DeFi Loss of 2026

Source: Odaily Planet Daily (@OdailyChina) | Author: Wenser (@wenser 2010) As geopolitical tensions remain elevated, the crypto market has been shaken by another major security incident. On April 1, Drift Protocol, a leading Solana-based derivatives platform, was exploited for more than $280 million in JLP-related assets—days after it updated its multisig settings to a 2-of-5 threshold with no timelock. Drift has confirmed the platform is under active attack and has suspended all deposits and withdrawals. Multiple affected teams have stressed that this is “not an April Fools’ joke.” Attack details: 11 large transfers, treasury drained within minutes Early findings point to privilege escalation combined with a multisig execution weakness. SlowMist founder Yu Xian said the protocol moved a week earlier to a 2/5 multisig without a timelock (allowing immediate execution), using one older wallet plus four new signer wallets. According to his summary, the attacker seized management privileges, minted counterfeit CVT tokens, manipulated oracle inputs, disabled relevant safety mechanisms, and emptied pool assets. On-chain data indicates the attacker first acquired 41.72 million Jupiter Liquidity Tokens (JLP) worth about $155.6 million, then rapidly moved large amounts of USDC and other tokens. Funds were bridged to Ethereum and used to buy roughly 19,913 ETH (about $42.6 million). The sequence involved around 11 major transactions, including: - 51.61 million USDC (about $51.62 million) - 125,000 WSOL (about $10.45 million) - 164,000 cbBTC (about $11.29 million) Hacker wallet address: HkGz4KmoZ7Zmk7HN6ndJ31 UJ1qZ2qgwQxgVqQwovpZES. In a matter of minutes, Drift's treasury reportedly fell from $309 million to $41 million. Around 3 a.m., Drift said it was coordinating a response with multiple security firms, cross-chain bridges, and exchanges. Cause still unconfirmed; admin key compromise seen as top suspect Drift has not released a definitive root-cause statement. Security firm PeckShield said the most likely scenario is an admin key compromise that enabled treasury control through privileged access—suggesting an operational security breach rather than a smart-contract bug. Community discussion also points to a potential collateral-parameter manipulation: inflating thin-liquidity asset values, borrowing higher-value tokens against the inflated collateral, then extracting funds from the vault—a pattern consistent with prior governance-style DeFi attacks. Investigators have not ruled out smart-contract issues or oracle manipulation, and the investigation remains ongoing. Additional on-chain breadcrumbs show the attacker's Solana wallet was funded with just 1 SOL last week and earlier received a small test transfer of about $2.52 from the Drift treasury, implying prior permission checks. Funds linked to the attacker also appear to originate from Backpack, which could leave KYC-related traces. Market impact: DRIFT down sharply, SOL briefly pressured Following the news, risk sentiment deteriorated across Solana DeFi. DRIFT fell more than 38% over the past 24 hours to around $0.042, extending its decline to over 98% from its November 2024 all-time high of $2.60. SOL dipped below $80 and was down nearly 5% over 24 hours, last around $78.60. Phantom has displayed a risk warning to users attempting to access Drift. Solana treasury-backed firms Forward Industries and DeFi Development Corp said their funds were not affected. Broader fallout across Solana DeFi Based on statistics shared by crypto commentator @lugeweb3, projects reporting direct losses or material disruption include: - @piggybank_fi: $106,000 stolen; team adding liquidity to compensate users - @DeFiCarrot: Boost and Turbo unaffected; mint/exchange temporarily paused - @uselulo: Traditional deposits may be affected (protected/enhanced deposits unaffected) - @reflectmoney: USDC+ and USDT+ minting/redemptions frozen; borrowing backed by Drift markets suspended - @ranger_finance: rgUSD deposits/withdrawals paused; $900,000 of $14.6 million TVL on Drift frozen - @elementaldefi: SOL and Lend funds on Drift frozen (USDC and ONYC safe) - @TradeNeutral: Drift-related vaults (JLP, BTC/ETH/SOL superstaking, Hyper JLP, etc.; $3.6 million TVL) potentially impacted; deposits/withdrawals paused - @xplaceapp: deposits/withdrawals unavailable; credit mode and lending disabled - @GetPyra: funds impacted; all card functions suspended - @ExponentFinance: USDC+ related trading suspended - @fusewallet: deposits temporarily suspended - @perena: stablecoins unaffected but redemptions paused; Neutral Trade's JLP Vault ($512K TVL) may be impacted Projects explicitly stating they are unaffected include: @JupiterExchange @kamino @UnitasLabs @onrefinance @solflare @hylo_so @MarinadeFinance @synatraxyz @solsticefi @defidevcorp @jito_sol @s2> MeteoraAG @sanctumso @wormhole Largest Solana DeFi attack of 2026 Drift's TVL was about $550 million before the incident. Estimated direct losses reached as high as $285 million, making this the biggest DeFi security loss reported so far in 2026 and potentially one of the most significant Solana DeFi incidents since the Wormhole bridge exploit. For context, March saw roughly $52 million in DeFi losses across 20 major incidents; this single event has materially lifted year-to-date figures and underscored a recurring industry lesson: code audits alone are not enough—operational security can be the decisive failure point. Odaily Planet Daily advises users not to deposit funds or interact with Drift until the protocol releases a full investigation report and a clear remediation plan.