Drained in Hours
On the night of April 2, Norwegian time, Drift Protocol confirmed via its official X account that the protocol was under active attack. All deposits and withdrawals were immediately halted. The team added an unusual clarification: “This is not an April Fool's joke” – a necessary statement given that the attack occurred on the first day of the year.
According to Decrypt, approximately $285 million in digital assets were stolen, which security firm Elliptic estimated closer to $286 million when all assets were accounted for. The attacker drained, among other things, 41.7 million JLP tokens worth around $155 million, 51.6 million USDC, 125,000 wrapped SOL, and significant amounts of cbBTC.
Not a Smart Contract Problem
Drift Protocol emphasized that no flaws in the smart contract code itself were exploited. According to the protocol, the attack was a “highly sophisticated operation” that combined Solana's so-called “durable nonces” – a mechanism for pre-signed transactions with delayed execution – with compromised multisig approvals. This gave the attacker administrative control over Drift's security sector.
Experts cited by Decrypt highlight an important distinction: the vulnerability lay with the individuals managing the administrative keys, not in the code they controlled. Investigations suggest that the attacker prepared for weeks and conducted a test transfer approximately eight days in advance.
Elliptic Points to North Korea
Blockchain security firm Elliptic has identified several indicators linking the attack to North Korea (DPRK). The firm cites consistent on-chain behavior, known money laundering patterns, and network indicators previously associated with state-sponsored North Korean operations. The claim has not yet been confirmed by independent authorities and should be treated as a qualified suspicion rather than an established fact.
Crypto investigator ZachXBT also criticized Circle, the issuer of USDC, for a slow response: the attacker reportedly had several hours to exchange stolen funds into USDC and use them to bridge to the Ethereum chain before any freeze mechanism was activated.
Contagion Effect in the Solana Ecosystem
The attack triggered widespread fear of contagion effects in Solana's DeFi universe. According to research data, Solana's total TVL fell by nearly one billion dollars within a few hours as users withdrew from other protocols. Jito, Raydium, and Sanctum all recorded outflows of between four and five percent. Protocols PiggyBank_fi and Reflect Money temporarily halted deposits, withdrawals, and lending functions.
The DRIFT token fell between 20 and 40 percent immediately after the incident.
Viktoras Karapetjanc from Traders Union described the incident to Decrypt as a “significant reputational challenge” for Solana – a chain already operating in a macro environment characterized by risk aversion, with the Fear & Greed Index down to 12 out of 100 at the time of publication.
Drift Cooperates with Authorities
Drift Protocol states that they are coordinating with several security firms, cross-chain bridges, centralized exchanges, and law enforcement authorities to track the stolen funds and attempt to recover them. A more detailed incident report has been promised but has not been published at the time of publication.
Combined with the Ronin Network's loss of $625 million in 2022 – an attack also linked to North Korea – the Drift incident represents one of the largest DeFi thefts in blockchain history, once again highlighting whether administrative security in protocols is adequate.
Sources: Decrypt, Elliptic, ZachXBT (on-chain)
