#Gate广场四月发帖挑战

$285 million drained in 12 minutes. The largest DeFi exploit of 2026 did not happen because of a smart contract bug. It happened because two people were tricked into signing documents they did not fully understand.
On April 1, 2026, Drift Protocol, the largest decentralized perpetual futures exchange on the Solana blockchain, was dismantled by an attacker who had been preparing for weeks. What followed was one of the most technically precise and structurally damaging exploits in DeFi history.
THE PROTOCOL BEFORE THE ATTACK
Drift Protocol was a dominant decentralized derivatives venue on Solana, holding over $550 million in total value locked. It served as a core infrastructure layer for perpetual futures trading, borrowing, and leveraged positions.
More than 20 Solana-based protocols were integrated with Drift or had treasury exposure to it. This deep integration is why the impact did not remain isolated.
THE ATTACK STRUCTURE
The exploit was not a smart contract failure but a governance failure.
March 23, 2026:
The attacker created four durable nonce accounts. This Solana feature allows pre-signed transactions to remain valid indefinitely. Instead of expiring quickly, these approvals could be executed at any chosen time.
March 23–30:
Through targeted social engineering, the attacker convinced two of five Security Council multisig signers to pre-sign transactions. These approvals were stored using durable nonce accounts.
This created a valid 2-of-5 authorization that could be executed later.
Before the attack:
The attacker minted a fake token called CarbonVote Token (CVT), creating artificial liquidity and price history to make it appear legitimate.
APRIL 1 EXECUTION
Seconds before the exploit:
The attacker used compromised admin access to:
Add CVT as collateral
Disable the protocol’s circuit breaker
Then a borrow loop was executed:
Deposit CVT
Borrow real assets
Repeat
Because manipulated price data treated CVT as valid collateral, the system processed these as fully backed loans.
THE 12-MINUTE DRAIN
Five vaults were drained, including USDC, wrapped Bitcoin, Solana, and JLP tokens.
Total loss: approximately $285 million, over 50% of total value locked.
The actual execution took seconds, while the full transaction sequence unfolded over roughly 12 minutes.
STOLEN ASSETS
Around $230 million in USDC
Remaining in BTC, SOL, and protocol tokens
The attacker quickly converted assets into liquid forms and began cross-chain transfers.
Funds were bridged from Solana to Ethereum using Circle’s Cross-Chain Transfer Protocol in over 100 transactions. Once moved, assets were distributed across multiple wallets.
ATTRIBUTION
Blockchain forensics firms including Elliptic, TRM Labs, and DivergSec identified patterns consistent with North Korea’s Lazarus Group.
Indicators included:
Use of Tornado Cash infrastructure
Timing patterns
Cross-chain movement strategies
Rapid laundering behavior
This aligns with previous major exploits, including the Ronin and Bybit incidents.
CONTAGION EFFECT
Drift’s integration caused wider damage across Solana’s DeFi ecosystem.
Affected protocols increased from 11 to 20
Multiple projects reported losses
Some lost all deployed funds
Drift’s TVL dropped from $550M to under $232M within hours.
Deposits and withdrawals were halted, and exchanges flagged the DRIFT token for risk.
CIRCLE CONTROVERSY
A major issue emerged around Circle’s response.
Despite $230M in USDC moving through its infrastructure, no immediate freeze action was taken during the attack.
This raised concerns about whether stablecoin issuers can realistically respond in real time during exploits.
THE CORE FAILURE
The root cause was governance design.
On March 27, Drift migrated its Security Council:
2-of-5 multisig threshold
Zero timelock
No delay between approval and execution
This meant two compromised signatures could trigger full control instantly.
There were no safeguards, no monitoring alerts, and no delay mechanisms.
BROADER CONTEXT
This is:
The largest DeFi exploit of 2026
Among the largest in Solana’s history
The pattern reflects a shift in attack strategy:
Focus on governance vulnerabilities
Use of social engineering
Rapid execution beyond human response speed
CONCLUSION
The Drift exploit was not a failure of code. It was a failure of governance, operational security, and response systems.
Two signatures, obtained through manipulation, unlocked access to hundreds of millions in user funds.
The implications extend beyond one protocol. They raise fundamental questions about how secure DeFi infrastructure can be when governance systems remain vulnerable.
#DriftProtocolHacked
#CreaterLeaderBoard