Drift Protocol, a major Solana-based DeFi exchange, has suffered a $285 million social engineering-driven exploit that weaponized a compromised administrator key rather than any code flaw.
Summary
- Drift Protocol suffered a $285 million exploit on April 1, making it one of the largest DeFi hacks in Solana’s history, triggered by a compromised administrator key rather than a smart contract flaw.
- Solana Foundation Chair Lily Liu and CPO Vibhu Norby both confirmed via X that the attack vector was social engineering and operational security failures, not code-level vulnerabilities.
- SOL dropped 9% to an intraday low of $78.60 following the breach, with Wormhole warning that some Solana cross-chain transactions may face delays as a result.
Drift Protocol, a decentralized exchange built on Solana, was drained of approximately $285 million in digital assets on April 1 in what security researchers believe was a social engineering attack targeting the protocol’s administrative key infrastructure, according to Bloomberg. PeckShield Inc. was among the first firms to flag the breach, identifying that a significant portion of stolen funds were converted into USDC, the dollar-pegged stablecoin issued by Circle, based on on-chain data. The attack unfolded in approximately 12 minutes across 31 transactions, emptying nearly 20 vaults and netting, among other assets, 66.4 million USDC, 42.7 million JLP, 23.3 million MOODENG, 5.6 million USDT, 5.2 million USDS, 2.6 million JUP, 583,000 RAY, and 477,000 WETH.
Blockchain data shows that the attacker exploited a compromised Drift administrator key to list CVT as a new spot market on the platform and simultaneously raised withdrawal limits for USDC and four other markets to 500 trillion, effectively nullifying the protocol’s internal security controls. Using fraudulent collateral, the attacker was then able to withdraw freely from Drift’s spot market vaults. The use of different signature keys across the 31 transactions suggests that either the key management infrastructure was compromised or that multiple authoritative keys were accessed, pointing to a coordinated, targeted operation rather than an opportunistic smart contract bug.
The native DRIFT token fell from roughly $0.072 to $0.055 in the immediate aftermath, as users rushed to withdraw liquidity and the protocol halted deposits and withdrawals.
“The real target of the attack is people”
Lily Liu, chair of the Solana Foundation, addressed the incident directly on X, stating: “The Drift incident has far-reaching effects, impacting the entire ecosystem. The Drift team is working around the clock to investigate and control the situation, and we are doing our best to provide support. The smart contract itself has withstood the test. The real target of the attack is ‘people’ — more related to social engineering and operational security vulnerabilities rather than exploits at the code level.”
Vibhu Norby, Chief Product Officer of the Solana Foundation, reinforced that assessment, writing on X that the incident “is not caused by a program or smart contract vulnerability, but is more likely related to operational security or social engineering attacks.” Norby added that any protocol relying on a multi-signature mechanism across various chains could theoretically face similar risks, and stressed that the Drift security incident “is an isolated case and does not indicate a systemic issue with Solana DeFi or related products.”
The clarification from both officials was pointed: this was not a Solana failure, it was a human one. As crypto.news has previously reported, social engineering has become the dominant attack vector in the industry, with phishing, fake job offers, and impersonation campaigns now accounting for a majority of high-value breaches — a pattern accelerated by North Korea’s Lazarus Group and other state-linked actors.
Market fallout and cross-chain ripple effects
SOL fell 9% to an intraday low of $78.60 on April 2, bringing its market cap down to $45.5 billion, according to crypto.news data. Over the previous seven days, SOL had already shed more than 10%, making it the steepest loss among the top 10 cryptocurrencies. The $285 million hack stands as one of the largest exploits in the Solana ecosystem in the last five years.
Cross-chain infrastructure also felt the strain. Wormhole posted on X confirming that its user assets were not at risk and that bridge functionality remained operational, but warned that built-in Solana security mechanisms could cause some cross-chain transfers to experience delays. Wormhole core contributors said they were in active communication with the broader Solana ecosystem to provide
Drift Protocol hit by $285m social engineering attack on Solana
- Drift Protocol lost $285 million in one of the largest DeFi exploits in Solana’s history, with the attack executed through a compromised administrator key rather than a smart contract vulnerability.
- Solana Foundation leadership confirmed the breach was rooted in social engineering and operational security failures, stressing that Solana’s underlying code and smart contracts remained intact.
- SOL fell nearly 9% to an intraday low of $78.60 following the incident, bringing its market cap down to $45.5 billion.
Drift Protocol, a decentralized exchange built on Solana, lost approximately $285 million in digital assets on April 1 after an attacker exploited a compromised administrator key to drain nearly 20 protocol vaults in under 12 minutes, according to Bloomberg. The breach ranks as one of the largest DeFi hacks in Solana’s history and triggered a sharp selloff in SOL, which dropped 9% to $78.60 on the day.
PeckShield was among the first blockchain security firms to flag the incident, placing total losses at roughly $285 million. On-chain data later revealed that 31 transactions were executed across approximately 12 minutes. The attacker withdrew 66.4 million USDC, 42.7 million JLP, 23.3 million MOODENG, 5.6 million USDT, 5.2 million USDS, 2.6 million JUP, 583,000 RAY, and 477,000 WETH. A portion of the JLP tokens were burned, while the remaining assets were largely converted to SOL and distributed across multiple wallets.
The attack vector did not involve a flaw in the protocol’s smart contracts. Instead, a compromised Drift administrator key was used to list a new spot market and raise withdrawal limits across USDC and four other markets to 500 trillion — effectively disabling the platform’s security mechanisms and allowing the attacker to use fraudulent collateral to empty the vaults.
Solana Defends Its Infrastructure
Lily Liu, chair of the Solana Foundation, addressed the incident on X, stating: “The Drift incident has far-reaching effects, impacting the entire ecosystem. The Drift team is working around the clock to investigate and control the situation, and we are doing our best to provide support. The smart contract itself has withstood the test. The real target of the attack is ‘people’ — more related to social engineering and operational security vulnerabilities rather than exploits at the code level.”
Vibhu Norby, Chief Product Officer of the Solana Foundation, echoed that assessment, writing on X that the incident “is not caused by a program or smart contract vulnerability, but is more likely related to operational security or social engineering attacks.” He was also careful to contextualize the breach, noting that “any protocol relying on a multi-signature mechanism across various chains may face similar risks,” and calling the Drift security incident “an isolated case” that does not indicate systemic issues within Solana DeFi.
Cross-Chain Ripple Effects
Cross-chain bridge Wormhole also confirmed on X that its user assets were not at risk and that bridge functionality remained operational. However, the protocol warned that some Solana cross-chain transfers may experience delays due to built-in security mechanisms triggered by the incident. Wormhole said its core contributors were in active communication with the Solana ecosystem team.
The attack lands in a broader context of rising social engineering threats across crypto. As crypto.news reported in January, most major crypto breaches now stem from phishing, impersonation, and operational access failures rather than broken code — a pattern that the Drift incident reinforces. Only weeks prior, the Solana-based memecoin platform Bonk.fun was similarly compromised via a domain hijack that deployed a malicious wallet drainer, resulting in user losses exceeding $273,000.
The DRIFT token, which had already lost more than 86% of its value over the prior year, fell sharply from approximately $0.072 to $0.055 amid the chaos. The protocol had previously raised $25 million in a Series B round led by Multicoin Capital, bringing its total funding to over $52.3 million, according to crypto.news. At the time of the hack, its total value locked had stood at hundreds of millions of dollars, making it one of Solana’s most significant DeFi platforms.
The Solana Foundation said the community will continue to receive updates as the investigation concludes and noted that important operational security lessons are expected to emerge for the broader industry once the full picture is known.
