Drift Protocol Loses $285 Million in Crypto Heist

On April 1, Drift Protocol, a Solana-based decentralized exchange, was hit by an attack that drained about $285 million from its vaults. The DRIFT token dropped around 45%. The platform suspended deposits and withdrawals, telling users it was not an April Fools joke.

The attackers didn't find a bug in Drift's code. Instead, they spent weeks setting up a fake token called CarbonVote Token (CVT). They used wash trading (fake trades between their own wallets) to make it look like the token was worth $1. Drift's price oracles treated it as real. But they still needed a way to turn that into a withdrawal.

That part was made easier by a change Drift made just days earlier. On March 27, the protocol removed its timelock. A timelock is a waiting period, usually 24 to 72 hours, before important administrative actions take effect. Without it, the attackers had zero delay once they gained control. Two or more of Drift's security council members were 'tricked' into pre-signing transactions. When the attack launched, those signatures activated instantly.

On April 1, the attackers used that access to list CVT as valid collateral, raised withdrawal limits to unlimited amounts, deposited their fake tokens, and walked away with real assets in about 12 minutes. Drift's total value locked dropped from roughly $550 million to below $200 million. More than 20 other protocols that had exposure to Drift also had to pause operations or assess losses.