In April 2026, Drift, a Solana-based decentralized perpetual futures exchange, was the victim of a hack. The attacker stole an estimated $285 million from the protocol within 12 minutes.
Inside the Attack
While the Drift hack was executed in a matter of minutes, it was the culmination of weeks of effort, beginning March 11, 2026. The attackers began by creating a fake token, named the CarbonVote Token (CVT), with an initial supply of 750 million tokens.
Next, the attackers created a Raydium pool and began a wash trading campaign designed to push the perceived price of the token to $1 despite only having a few thousand dollars worth of liquidity in the pool. The objective of this was for Drift’s oracles to notice the activity and accept CVT as a legitimate asset.
In parallel with the creation of the token, the attackers created several “durable nonce” accounts. These accounts take advantage of a Solana feature that allows transactions to be digitally signed in advance and executed at a later point in time. The attackers performed a social engineering campaign targeting various members of the Drift Security Council, tricking them into signing transactions that contained hidden approvals for privileged functionality.
On April 1, the attackers executed the preapproved transactions, taking advantage of the fact that the Drift Security Council had moved to a 2/5 multisig scheme and eliminated timelocks a few days earlier. This eliminated delays during which the Council could have detected and reversed the malicious transactions.
With the privileges provided by the preapproved transactions, the attackers were able to list CVT as approved collateral and increase withdrawal limits. Then, they deposited hundreds of millions in CVT into Drift at the artificial price of $1 per token. This allowed them to perform 31 withdrawal transactions within 12 minutes, draining an estimated $285 million from the protocol.
In addition to the careful buildup, the Drift hack was also notable for the speed and scale of the money laundering after the fact. Within hours, most of the stolen assets were bridged to Ethereum using transactions containing hundreds of thousands or millions of USDC.
Lessons Learned from the Attack
The Drift hack was a sophisticated campaign that applied deception and social engineering to humans and smart contracts alike. A wash trading campaign tricked price oracles into accepting CVT as a legitimate token with a valuation of $1. Social engineering targeting Drift’s Security Council allowed attackers to sneak malicious functionality into preapproved transactions.
The attackers also took advantage of Solana’s features and changes in the Drift Protocol. Durable nonces made it possible for the attackers to store malicious, preapproved transactions for later use, allowing them to be more subtle about collecting the required approvals. The elimination of timelocks and the move to a 2/5 multisig scheme also made the attack easier by requiring fewer approvals and making malicious transactions instantly irreversible.
Halborn’s security advisory services help ensure that protocols have the security controls and guardrails needed to protect against top threats. Get in touch to find out more.