Background of Publication: On April 1, 2026, a major security incident suddenly occurred in the Solana ecosystem derivative protocol Drift Protocol. The Drift team officially confirmed that the protocol was under an active attack and suspended deposits and withdrawals. Subsequently, on-chain monitoring and multiple media reports revealed that the protocol’s main vault experienced a large-scale abnormal asset outflow within a very short time, with public estimates of losses between $270 million and $285 million.

This incident deserves in-depth study not only because of the massive amount involved but also because it closely resembles one of the most dangerous types of DeFi accidents seen in recent years: it’s not a small contract bug at the user level, nor a single price feed crash, but a compositional manipulation after administrative privileges were compromised, affecting core parameters, price inputs, and withdrawal limits—ultimately draining real assets in an extremely short time. As the official team has not yet released a complete post-mortem, this article will clearly distinguish between “confirmed facts” and “external analytical inferences.”

The hacker’s address is: HkGz4KmoZ7Zmk7HN6ndJ31UJ1qZ2qgwQxgVqQwovpZES

I. Conclusion First: This was not a single-point vulnerability, but a complete attack chain

 

So far, the official statements from Drift have been relatively restrained: the protocol suffered an active attack, deposits and withdrawals have been paused, and the team is collaborating with multiple security firms, bridges, and exchanges. The root cause, final loss amount, freezing progress, and full recovery plan have not yet been disclosed.

However, based on on-chain data, first-hand threads on X, and media summaries, the attack likely followed the chain below:

 

  1. The attacker pre-deployed a low-liquidity fake asset called CVT;
  2. The attacker then obtained sufficient administrative privileges;
  3. Used admin capabilities to introduce CVT or its price source into the protocol’s risk framework;
  4. Manipulated or polluted the price so that CVT became grossly overvalued within the protocol;
  5. Modified several key parameters, especially those related to real-asset withdrawals and risk limits;
  6. Finally, within seconds or minutes, rapidly withdrew various real assets such as USDC, cbBTC, WETH, dSOL, WSOL, and JLP;
  7. Afterward, converted the stolen assets to USDC, bridged to Ethereum, and consolidated them by purchasing ETH.

This explains why external reports mention keywords such as “admin key compromise,” “CVT,” “oracle manipulation,” “withdrawal limit escalation,” and “massive asset drain in 15 seconds” simultaneously—these are not conflicting descriptions but rather different links in the same attack chain.

II. Event Timeline: From abnormal outflow to official shutdown

 

1. Official confirmation of active attack

Drift officially posted on X that the protocol was undergoing an “active attack,” announced the suspension of deposits and withdrawals, advised users to stop depositing funds, and stated that it was coordinating with security teams, bridge partners, and exchanges. This indicated two things: first, the anomaly was not ordinary market volatility but a protocol-level security event; second, the team quickly realized the issue originated from the core system layer.

2. Rapid, large-scale multi-asset outflows on-chain

Soon after, multiple monitoring platforms and media reported massive asset outflows from Drift’s main vault within an extremely short period. Frequently cited figures include: 41.721M JLP, 51.616M USDC, 164.349 cbBTC, 125K WSOL, 2201 WETH, 45,292 dSOL, covering more than ten asset types. The vault balance dropped from around $309 million to about $41 million.

This shows the attacker didn’t target just one pool or token but instead had permissions broad enough to operate across multiple markets and asset pools. Such behavior is more characteristic of a governance/admin-level privilege compromise than “an arbitrage exploit following a single pair’s flash crash.”

3. Assets quickly converted to stablecoins and bridged

Lookonchain reported on X that the attacker quickly converted the stolen assets into USDC, bridged them to Ethereum, and purchased ETH. In other words, the latter half of the attack was not “leaving the stolen assets on Solana” but followed a classic high-value laundering route: multi-asset aggregation → stablecoin conversion → cross-chain transfer → consolidation into ETH on a high-liquidity main chain.

 

This step is critical for subsequent freezing and tracking efforts. Once funds move from low-liquidity or easily identifiable assets into USDC, then onto Ethereum, then into ETH, tracking remains possible but the window for freezing typically narrows rapidly.

III. How big was the loss: $213M, $240M, $270M, or $285M?

 

One of the main sources of confusion in this incident was the wide range of loss estimates released within a short time. Early reports cited $213 million, later followed by $240M, $270M, $277M, and $285M. These differences can be unpacked.

Currently, two publicly cited ranges appear most credible:

  • About $270 million: based on on-chain measurements of outflows from the main vault;
  • About $285 million: a higher estimate quoted by some media outlets citing security team assessments.

The discrepancies arise mainly from three factors:
First, some counts included only the initial confirmed outflows;
Second, others also included subsequent outflows of WETH, dSOL, LP shares, etc.;
Third, some used the peak price at the moment of the exploit instead of a more conservative post-trade valuation.

Therefore, the most accurate phrasing in formal reports should avoid a fixed number, instead stating:
“Public estimates place losses between $270 million and $285 million; early community reports cited around $213 million, later adjusted upward as more data emerged.”

IV. Pre-attack preparation: CVT was not improvised but a pre-planted “fake collateral”

 

Multiple external analyses and media sources suggest that the attacker began setting up a fake token called CarbonVote Token (CVT) weeks before the incident. Reportedly, about 750 million CVT were minted, and a trading pool was created on Raydium with extremely low liquidity—only a few hundred dollars.

 

This kind of operation itself isn’t new. The danger is not in “someone launching a token,” but rather that if a protocol admin can include such assets in pricing, collateral, margin, or risk parameter systems—and the protocol trusts prices influenced by illiquid markets—then the fake asset can be presented as “valuable collateral.”

Analysts generally believe that CVT was pre-created not for immediate profit-taking but to create a record of price history. This way, once admin privileges were obtained, the attacker could inject an asset that already appeared to have a “market price” into key risk paths, instead of fabricating value from scratch.

V. The key turning point: Compromised admin privileges made this attack systemic

 

From current information, what escalated the incident from “abnormal trading” into a “systemic vault drain” was not CVT itself but the loss of admin control. As summarized by Decrypt from external researchers and security experts, this incident resembled a compromised private key leading to a takeover of administrative functions rather than a simple public contract logic bug.

Why is this so critical? Because even if a user exploited a price error, they couldn’t withdraw all real assets. But once an attacker obtained admin privileges, they could perform three fatal actions:
1. Modify market parameters;
2. Adjust withdrawal limits and risk thresholds;
3. Force unapproved assets or price feeds into core valuation logic.

This kind of attack doesn’t just bypass the rules—it takes control of the rule-making hand itself.

Many posts on X mentioned that Drift’s admin execution system may have had a low-threshold multisig with zero timelock—the so-called “2/5 multisig, 0 timelock.” While the Drift team hasn’t confirmed these specifics, the theory aligns with the on-chain evidence of rapid parameter changes.

VI. Price pollution stage: CVT overvalued, protocol “paper equity” inflated

 

Drift’s documentation explicitly states the protocol’s heavy reliance on oracles for pricing, funding rates, and risk management. It also acknowledges that incorrect oracle data can cause erroneous liquidations and losses. The AMM docs show that Drift’s price mechanisms frequently align with oracle values, influencing settlement and valuation logic throughout.

This means that if an attacker can get a fake asset’s price accepted by the protocol, the consequences go far beyond “wrong display prices.” It directly affects margins, borrowing power, withdrawal rights, liquidation thresholds, and even AMM risk assessments tied to positions.

External analysis suggests that after gaining admin rights, the attacker inserted CVT into the system’s risk calculation path and used its illiquid pool to drive its price to absurd highs—creating massive “paper wealth” in the protocol ledger. This “wealth” wasn’t from real counterparties, but from polluted price inputs.

VII. The real cash-out move: lifting withdrawal limits to trade fake value for real assets

Just inflating CVT’s price wasn’t enough. The fatal step was turning the fake book equity into withdrawable real assets from the vault.

According to the most common version, the attacker then altered multiple withdrawal/risk parameters across genuine asset markets, dramatically raising withdrawal limits. Community accounts often mention five real-asset markets with withdrawal caps increased twentyfold. Note that these numbers come from external analyses, not official Drift reports, but they align with on-chain outcomes—since assets stolen were the real ones: USDC, cbBTC, WETH, dSOL, WSOL, JLP.

Essentially, the attacker swapped an unbacked fake collateral for real, liquid assets inside the vault by leveraging admin control and manipulated parameters.
In other words, the attacker didn’t profit through trading, liquidation, or arbitrage—they redefined what counted as “valid collateral” and “permissible withdrawal” inside the protocol.

VIII. Why the execution took only seconds: because the setup was long done

 

External reports often emphasize “$200M+ drained in 15 seconds,” which sounds shockingly fast. But piecing the steps together, this speed isn’t surprising.

The real time-consuming part was preparation before withdrawal:

  • Pre-deploying CVT;
  • Generating price history in advance;
  • Potentially scouting and compromising admin privileges;
  • Designing parameter-change sequences ahead of time;
  • Preparing fund aggregation and bridging routes.

Once all this was ready, the on-chain footage shows just a brief execution window:
Modify parameters → open withdrawal capacity → withdraw real assets → swap and bridge out immediately.
Thus, “core withdrawals completed in seconds” is not contradictory to “weeks of preparation”—it’s a hallmark of such attacks.

IX. Fund movement: from multi-asset Solana holdings to ETH on Ethereum

 

After the heist, the attacker didn’t keep assets in their original forms. Lookonchain’s monitoring shows that they converted stolen assets into USDC, bridged them to Ethereum, then bought ETH—some reports say tens of thousands of ETH accumulated.

This path is significant in several ways:
1. It shows the attacker had a premeditated contingency plan, not a spontaneous act;
2. It shows many stolen assets were unsuitable for long-term storage or transfer, prompting stablecoin conversion;
3. It shows that in incidents like this, the responsiveness of bridges and centralized exchanges directly affects asset recovery rates. The team’s immediate coordination with these parties indirectly confirms this.

X. Root cause analysis: this incident revealed not one problem but four layers of failure

 

1. Insufficient admin privilege security

If external assessments that admin keys or signing rights were compromised are correct, the first issue is excessively fragile privilege security. For a high-TVL protocol, any right capable of altering core markets, price feeds, or withdrawal limits shouldn’t rely on low-threshold multisig or allow instantaneous execution.

2. Lack of timelocks and circuit breakers for high-risk changes

Even with stolen admin privileges, the protocol needn’t have been emptied instantly. If high-risk actions like “adding new risky assets,” “modifying oracle sources,” “loosening withdrawal limits,” or “changing market risk parameters” required mandatory timelocks, two-step approvals, or stricter auditing, the attacker couldn’t have completed the chain in seconds.

3. Weak defense against low-liquidity assets in price/risk models

The CVT narrative is alarming because it exploited the fact that low-liquidity assets can be easily pumped while being mistakenly trusted by the protocol’s risk model. For any derivative, lending, or cross-margin protocol, “tradable anywhere” and “eligible risk asset” must never be treated as the same thing.

4. Missing last-line withdrawal safeguards against “sudden equity inflation”

Even if faulty pricing were introduced, the protocol should’ve had a final safeguard:
If an account suddenly gains huge on-paper equity due to the price spike of a tiny-cap asset, its cross-asset or blue-chip asset withdrawals should trigger stricter checks, haircuts, delays, or manual reviews.
The outcome suggests this safeguard either didn’t exist or could be bypassed via admin-level modification.

XI. Lessons for all DeFi protocols

 

The key takeaway from the Drift incident isn’t “the hacker created a fake coin” but rather: any protocol that allows admins to rapidly modify core risk parameters without sufficient delay or isolation mechanisms will...