Drift's "Fourth Day Heist" resulted in the theft of nearly $300 million, and the Solana ecosystem suffered a major blow during the bear market.

Jae
Jae
  • The Drift protocol on Solana was hacked on April 1, with estimated losses of $2-2.85 billion, making it the largest attack in 2026.
  • The hacker planned for 8 days, using social engineering to gain admin access and targeting high-liquidity assets like JLP Delta Neutral Vault.
  • Stolen assets were converted to USDC and cross-chained to Ethereum via Wormhole, transformed into about 130,000 ETH, increasing tracking difficulty.
  • The attack caused DRIFT token to plummet over 40%, shaking trust in the Solana ecosystem and worsening its declining activity issues.
  • It highlights DeFi security vulnerabilities, with lessons including improving key management, monitoring cross-chain escapes, and maintaining constant vigilance.
Summary

Author: Jae, PANews

April 1st was a day of April Fools' Day jokes in the crypto market, but for Drift, the leading derivatives protocol on the Solana chain, and its users, it turned into a real nightmare.

At 2:58 AM, Drift issued a chilling announcement: "Drift Protocol is experiencing an active attack, and deposits and withdrawals have been suspended. This is not an April Fool's joke."

Multiple security agencies and monitoring platforms have confirmed through on-chain tracing that the initial estimate of asset losses caused by this attack is between $200 million and $285 million.

This is the largest single on-chain attack in terms of value since the beginning of 2026. In the history of the entire Solana ecosystem, its scale is second only to the Wormhole cross-chain bridge $326 million theft in 2022.

Just before this disaster, the Solana ecosystem was already showing signs of decline in network fees and shrinking DEX trading volume. Now, the collapse of Drift is not only adding insult to injury, but also a heavy blow to the critical vulnerability of DeFi security.

After lying in wait for eight days, a textbook-perfect on-chain heist unfolded.

This was by no means a spur-of-the-moment attempt to exploit vulnerabilities, but rather a meticulously planned and step-by-step asset hunt.

On-chain evidence shows that the hacker's address HkGz4Kmo (hereinafter referred to as "H address") was quietly created 9 days before the attack.

In the first week, the hackers were extremely patient, only attempting small asset swaps on OKX and Jupiter DEX, which did not raise any alarms on the busy Solana network.

At 0:09 AM, the hunt ended with the net being pulled in.

The hackers' target was very clear: to steal only the most liquid and highest collateralized assets in Drift, especially the protocol's star product, "JLP Delta Neutral Vault".

The first large-scale abnormal transfer occurred in the JLP Delta neutral vault, where a single transaction resulted in the loss of 41.72 million JLP tokens, worth a staggering $155 million, instantly draining half of the vault's liquidity. JLP became the biggest loser.

The hackers transferred tokens at an extremely high frequency. At the peak of the attack, tens of millions of tokens were moved by the hackers in seconds. As of now, the holdings in the Drift main treasury have plummeted from $312 million to $7.8 million in just half a day.

After succeeding, the hackers did not linger on the Solana chain and immediately began laundering the money.

  1. Asset aggregation: The stolen JLP, cbBTC, wBTC and SOL are converted into USDC, which has higher liquidity, through the aggregator Jupiter.

  2. Cross-chain escape: Using the cross-chain bridge Wormhole, funds can be transferred in bulk to the Ethereum mainnet;

  3. Asset conversion: All stolen funds were converted into nearly 130,000 ETH (worth $277 million).

To date, the hacker's funds have been initially concealed, significantly increasing the difficulty of on-chain tracking.

Security firm SlowMist reported that a week before the attack, Drift changed its multi-signature mechanism to "2/5" and did not set a time lock. Hackers used social engineering to gain administrator privileges, forged malicious tokens, manipulated oracles, disabled security mechanisms, and transferred high-value assets from the liquidity pool.

The devastating $25 million loss suffered by Resolv Labs in a hacking attack on March 22nd is still fresh in our minds. That attack was caused by a vulnerability in AWS KMS (Key Management Service), and now Drift has once again experienced a key breach.

Clearly, key management has become a major security threat to DeFi protocols.

DRIFT drops over 40%, potentially plunging the Solana ecosystem into a trust crisis.

The negative impact of the hacking attack went far beyond the damage to the protocol itself, spreading to the secondary market and the entire Solana ecosystem.

Within hours of the hack, the DRIFT token plummeted by as much as 40%, becoming the worst-performing asset in the entire market. The massive gap in the protocol's balance sheet shattered market confidence, instantly reducing the token's governance value and protocol dividend expectations to zero.

In a March 2026 report, PeckShield warned of the risk of “Shadow Contagion,” which states that the collapse of one leading protocol could trigger a chain reaction affecting multiple protocols.

According to SolanaFloor, 11 DeFi protocols have been confirmed to be affected by the Drift security incident, with some of them suspending their main functions and awaiting resumption of operations.

As if things weren't bad enough, the Solana ecosystem is actually struggling with declining activity levels.

Solana network fees have declined for two consecutive months, falling to $19 million in March, a 36% decrease from $30 million in January, primarily due to sluggish trading volume. Solana DEX trading volume has dropped to $57 billion, the lowest level since September 2024.

Drift, as the leading Perp DEX on Solana, once boasted a TVL of $1.5 billion. Its collapse may prompt institutional investors to rethink the security of the Solana ecosystem protocol.

In the Solana Ecosystem Report in February, the institutionalization process of the network reached its peak:

  1. Goldman Sachs disclosed that it holds $108 million worth of SOL;

  2. BlackRock's BUIDL fund has surpassed $550 million in on-chain assets.

  3. Citigroup has completed a proof-of-concept for tokenized bills of exchange based on Solana.

Undoubtedly, institutional investors seek certainty, compliance, and low risk, yet Drift lost approximately 50% of its TVL. This collapse of a liquidity hub not only resulted in direct financial losses but also challenged the safety bottom line of institutions.

If DeFi protocols cannot use insurance or technical means to keep the losses from a single attack within a certain threshold, then the large-scale adoption or migration of mainstream finance may come to a standstill.

For the first time, Solana's institutionalization wave has faced such a severe security test.

With its ecosystem growth stagnating and leading protocols being hacked, Solana is mired in the crypto bear market.

When will DeFi security catch up with the boom?

The question that Drift users care about most is: can the stolen funds be recovered?

Although the agreement includes an insurance fund, the remaining $4 million is a drop in the ocean compared to the nearly $300 million loss.

As of now, the agreement's fully diluted valuation (FDV) is less than $50 million, which means that Drift is in a state of "technical bankruptcy".

The Drift incident is not an isolated case, but a typical example of the wave of hacker attacks in recent years.

This disaster left behind three bloody lessons:

  1. Administrative-level private key breach: The cases in the table above demonstrate that hackers are no longer focusing on smart contracts, but have instead turned to attacking the terminals of team members or cloud service providers. The defense has shifted from on-chain to off-chain, making it more vulnerable and harder to defend against.

  2. Cross-chain escape is difficult to trace: Nowadays, cross-chain aggregators are highly developed, and hackers can complete the monetization, cross-chain, and concealment in a short time. Moreover, cross-chain bridges have no emergency shutdown switch, so once funds escape, the probability of interception is close to zero.

  3. The period of emotional relaxation is the window of opportunity for attack: hackers tend to launch attacks during public holidays or when market sentiment is highly relaxed, and security defenses cannot be relaxed for a moment.

The pursuit of high-yield, complex products in DeFi will not stop, nor will Solana's path to institutionalization. However, Drift has sounded an alarm for the market: as DeFi protocols raise the banner of decentralization and TVL soars, the bottom line of security must always be upheld, regardless of whether the market is bullish or bearish.

If protocol security cannot offset the risks posed by greed and technological blind spots, then every user interaction is essentially a dangerous game of dancing with hackers. After all, in the on-chain world, security is the lifeblood of survival.

April Fool's joke landed on the heads of all crypto players, but after the laughter, the entire market will have to face a heavy bill.

Share to:

Author: Jae

Opinions belong to the column author and do not represent PANews.

This content is not investment advice.

Image source: Jae. If there is any infringement, please contact the author for removal.

Follow PANews official accounts, navigate bull and bear markets together
Telegram Discussion Group
Telegram News Channel
@PANews
Recommended Reading
PA一线

PA一线

Solana Foundation Chief Product Officer: The Drift attack was an isolated incident and does not indicate a problem with Solana DeFi.
PA一线

PA一线

DoodiPals announced that it will restart after a security review, and the hacked holders will be reissued 1:1
PA一线

PA一线

DeFi Development purchased 47,272 SOLs, and its holdings increased to 690,000
项目动态

项目动态

RedStone RWA Oracle Brings Tokenized Assets to the Solana Ecosystem
PA日报

PA日报

PA Daily | PumpFun’s annual fee income exceeds Ethereum; Trump made it clear that he will not seek a third term
PA一线

PA一线

Important information from last night and this morning (April 15-April 16)

Popular Articles

Industry News
Market Trends
Curated Readings
Subscribe
PANews App
24/7 blockchain news tracking and in-depth analysis.
Download PANews App
App StoreGoogle Play
PANews APP
BitGo launches BitGo Mint, an institutional stablecoin minting and redemption platform.
PANews Newsflash