DeFi platform Drift was hacked on April Fools' Day! The hacker drained $270 million in assets, with the administrator key being the vulnerability.

Drift suffers a hack and loses over $270 million; the TVL evaporates by more than $260 million in 12 minutes, and the admin key is suspected to have been compromised, resulting in a fatal vulnerability.

An April Fools’ Day real disaster erupts—Drift unexpectedly sees $270 million in assets go missing

On April 1, the well-known decentralized derivatives trading platform Drift Protocol in the Solana ecosystem suffered a serious security incident. In the early hours of that day, multiple on-chain monitoring entities, including Lookonchain and CEO Mert Mumtaz of Helius, issued alerts one after another, indicating that the Drift protocol showed abnormal large-scale fund flows.

At first, some community members believed it was an April Fools’ prank; however, Drift’s official account subsequently posted an urgent statement on the X platform, emphasizing that this was a real attack currently under way and absolutely not a joke. The official team then announced a full suspension of the platform’s deposit and withdrawal functions and urged users not to put funds into the protocol again. Based on preliminary investigations and on-chain tracking data, the stolen assets in this incident are estimated to exceed $270 million.

Image source: X/@DriftProtocol Drift’s official release of an urgent statement, stressing that the attack event is real and not an April Fools’ joke

This disaster caused the platform’s total value locked (TVL) to plummet in just 12 minutes—from $309 million down to only $41.0 million. At present, the Drift team is working closely with multiple cybersecurity investigation firms, cross-chain bridge service providers, and centralized exchanges to track and freeze the stolen funds flowing out, preventing the hackers from laundering money further.

A finely deployed fake-coin trap: the compromise of admin privileges becomes the key vulnerability

According to cybersecurity experts and on-chain data analysis, this attack showed a high degree of premeditation and technical complexity—the hackers began laying the groundwork three weeks before the attack occurred. First, the attacker created a fake token called “CarbonVote Token ($CVT)” on the Solana network, injected about $500 in small liquidity into the Raydium liquidity pool, and then manipulated the token price through wash-trading transactions over several weeks, fabricating a history of stable oracle prices.

By the time the attack happened, the hackers are suspected to have obtained control of the Drift protocol’s admin key and, at a critical stage, directly listed this valueless $CVT token in Drift’s spot market. To be able to empty the vault smoothly, the attacker simultaneously raised withdrawal limits for multiple markets, including $USDC, pushing the figures to an extreme level of 500 trillion dollars—effectively causing the platform’s security protection mechanisms to fail completely.

The attacker then deposited about 785 million $CVT tokens as collateral and used the manipulated, fraudulent price to borrow large amounts of real assets from the platform’s vault. This approach shows the hackers had deep knowledge of the underlying protocol mechanisms and carried out an extremely precise, targeted strike.

On-chain data reveals the money-moving route: the HkGz4K wallet strikes 20 vaults

This hack mainly operated through a wallet address labeled HkGz4K, executing 31 large-scale withdrawals in a very short time—nearly emptying almost 20 asset vaults within the platform. The composition of the outgoing assets was highly diversified, including 66.40 million $USDC, 42.70 million $JLP, 23.30 million $MOODENG, as well as millions of $USDT, $USDS, $JUP, $RAY, and 477,000 $WETH.

According to tracking, the attacker then used the Solana DEX aggregator Jupiter to convert most of the stolen funds into $USDC and transferred them via a cross-chain bridge to the Ethereum network. On the Ethereum chain, the hacker further exchanged the funds into about 19,913 Ether ($ETH).

This incident dealt a severe blow to market confidence. Drift’s native token $DRIFT fell by more than 20% within a short time after the news broke; the price dropped from the $0.071 level to about $0.05. Although Solana’s native token $SOL rebounded after hitting a low of $83.82, investors across the ecosystem remained on high alert.

Market confidence is shaken; Solana’s ecosystem security and defense system faces a severe test

This massive-loss security incident once again rang the alarm bell for decentralized finance (DeFi), especially as hacking attacks have been frequent in the first half of 2026. Just a few hours before Drift’s incident, an attack also hit the LML staking protocol on Binance Smart Chain, causing the token to nearly go to zero. And last month, the oracle manipulation incident at Venus Protocol also resulted in a $3.7 million loss.

Vladimir S from the cybersecurity investigation team said that this Drift disaster is highly likely related to the leakage of the admin key, leaving the project team defenseless against the hackers. Regarding this incident, Drift’s official team has stated it will pursue legal routes and do everything possible to recover the funds.

However, historical data shows that after being hacked, the token prices of affected projects often have difficulty recovering to their pre-incident highs, and repairs to rebuild user trust usually take a very long time. At present, Drift is still shut down, and this $270 million catastrophe is unquestionably the second-largest security incident in Solana ecosystem history, only behind the Wormhole hack. This event also underscores that while striving for high-performance trading, strengthening the security of admin privileges and oracle mechanisms has become a core issue that developers must prioritize.