- Drift Protocol was drained of over $285 million on April 1, the second largest exploit in Solana history after the $326 million Wormhole bridge attack
- The attacker gained admin key access eight days before the attack, then drained multiple vaults in under an hour
- DRIFT token fell nearly 28% and deposits remain suspended while the team coordinates with security firms and exchanges
April 1 is not a great day to tell your users something bad is happening and expect them to believe you.
Drift Protocol tried anyway. “This is not an April Fools joke,” the team posted on X at 2:58 PM ET on Wednesday, as hundreds of millions of dollars were moving out of their vaults in real time. “Deposits and withdrawals have been suspended. We are coordinating with multiple security firms, bridges, and exchanges to contain the incident.”
By the time the dust settled, over $285 million was gone. The second largest exploit in Solana history, behind only the $326 million Wormhole bridge attack.
What Actually Happened
This was not a smart contract bug. The attacker did not find a flaw in the code and exploit it. They got the keys.
PeckShield founder Jiang Xuxian told Decrypt plainly: “The admin keys behind Drift were definitely leaked or compromised.” With admin access, the attacker could bypass every protocol-level protection. The vault doors were open from the inside.
The wallet that drained Drift, beginning with HkGz4K, was funded just eight days before the attack with a single SOL. It sat dormant. Then on April 1 at 11:06 AM, it received 41 million JLP tokens worth $155 million from the Drift vault in a single transfer. Within an hour, SOL, USDC, cbBTC, and wBTC followed. Total outflows crossed $285 million before the protocol could respond.
Before the attack, Drift had $550 million in total value locked. The exploit wiped out more than half the platform’s liquidity in under sixty minutes.
How the Money Moved
The attacker did not sit on the funds. They moved fast and deliberately.
On-chain analysts tracked the stolen assets being swapped into USDC through Jupiter, Solana’s DEX aggregator, then bridged to Ethereum. By 17:45 UTC the attacker held nearly 20,000 ETH worth roughly $42 million. Additional SOL was deposited directly to Hyperliquid and Binance, exchanges that can theoretically freeze or flag the funds if they act quickly enough.
Circle, which issues USDC, was contacted immediately. Some portion of the stolen stablecoins may be freezable on the Ethereum side. Whether that amounts to meaningful recovery remains to be seen. Historical precedent on DeFi hacks suggests most of the money does not come back.
What Drift Users Should Do Right Now
If you have interacted with Drift Protocol, two actions matter.
Revoke any wallet approvals tied to Drift. Phantom wallet users can review connected apps directly in the wallet interface. Do not interact with the protocol until Drift publishes an official update confirming the exploit is contained.
Do not deposit anything. The protocol has suspended deposits and withdrawals but some users may still see interfaces that appear functional. They are not.
The Broader Problem
Drift was not a fringe protocol. It was a core piece of Solana’s DeFi infrastructure, the primary venue for perpetual futures trading on the network, processing nearly $70 million in daily volume before the attack.
Solana has spent the past year building a credible DeFi narrative to compete with Ethereum. The meme coin cycle ran on Solana. The consumer app cycle ran on Solana. Institutional interest was growing. Yesterday set that narrative back in a way that price charts cannot fully capture.
Admin key security is a known and solvable problem. Multi-signature requirements, hardware security modules, time-locked transactions. The tools exist. The question after every exploit like this is the same one: why were they not in place?
The DRIFT token is down nearly 28% on the day. The protocol is offline. And somewhere on the Ethereum network, an attacker is sitting on $42 million in ETH and waiting for the noise to die down.
