Solana DeFi lender Drift hit in 10-second exploit; $220M stolen and more than 15 projects report fallout

At around 1:00 a.m. today, Solana-based DeFi lending protocol Drift suffered a major exploit that drained more than $220 million of user assets in roughly 10 seconds. Following the incident, the DRIFT token fell more than 40% in a short span, putting its fully diluted valuation at about $44 million. With Drift intertwined across the Solana ecosystem, several related tokens including SOL and JUP also saw abnormal declines. Drift had been among Solana's largest lending protocols and has raised more than $52 million, according to RootData. Backers include Multicoin Capital, Polychain, Robot Ventures, Blockchain Capital, Ethereal Ventures, and Jump Capital. Public analyses link the theft to exposed multisig controls, compounded by familiar vectors such as governance and oracle manipulation. The attacker reportedly used a single signature to execute a one-transaction sequence: creating a fake market, manipulating an oracle feed, and removing withdrawal restrictions. Chaos Labs founder Omer Goldberg outlined a timeline suggesting the vulnerability emerged about a week ago, when Drift migrated admin permissions from an old multisig to a new multisig created by one of the old signers—but that signer did not add themselves to the new multisig. The attacker then exploited the gap by initiating a proposal in the old multisig to transfer Drift's admin rights to a new wallet controlled by the attacker. The new multisig reportedly had five signers, only one drawn from the original set, with the other four newly added. Its configuration was highly permissive: a 2-of-5 approval threshold and a zero-second timelock, allowing proposals to execute immediately after approval. Early this morning, the last remaining original signer submitted a proposal via the new multisig to change Drift's admin rights to the attacker-controlled wallet. Seconds later, another new signer approved it, meeting the 2/5 threshold. With no timelock, the change executed instantly and granted the attacker full administrative control. Using those privileges, the attacker created a CVT spot market on Drift. CVT has an estimated total supply of about 750 million tokens, with roughly 600 million held by the attacker. The attacker then pointed Drift to a SwitchboardOnDemand oracle under their control. Afterward, they pushed up the price of the near-worthless CVT token through 20 transactions, making the attacker's CVT position appear to be worth hundreds of millions of dollars according to the oracle. On that basis, the attacker borrowed an estimated $220 million to $280 million in assets, including 41.72 million JLP (Jupiter LP tokens, valued at about $155 million), 51.61 million USDC, and 164 cbBTC (valued at about $11.29 million). The incident is also rippling across Solana's DeFi stack. The sector's modular integrations—often touted as a strength—are now spreading risk to other protocols that rely on Drift's lending market. Jupiter is viewed as the biggest casualty, as the stolen JLP represents the core LP asset for Jupiter's perpetual futures market. The loss is expected to materially reduce liquidity in that market and may trigger knock-on effects such as panic withdrawals and further pressure on the JUP token. More than 15 protocols have confirmed exposure to the Drift breach and, in some cases, temporarily suspended withdrawals. Projects cited include Perena, Project 0, Exponent, Carrot, Ranger, PiggyBank, Reflect, Elemental, Neutral Trade, Pyra, Fuse, and XPlace. Market observers noted that users ultimately bear the brunt of repeated DeFi hacks, as ongoing incidents continue to erode confidence. After losing more than $6,000 in this event, prominent KOL Tuyao DashiXiong posted that they were withdrawing funds from older projects across chains and avoiding new deployments without thorough due diligence, warning that "it's a turbulent time" and not to "test human nature."