$285M Bug Or Human Error? Solana-Based Drift Protocol Suffers Largest Exploit Of 2026

Solana-based Drift Protocol has suffered the largest exploit of 2026 to date, losing nearly $300 million in a “highly sophisticated operation” that has raised concerns about the growing threat of human-targeted attacks in the crypto space.

Solana DEX Loses $285M On April Fool’s Day

On Wednesday, Solana-based decentralized exchange (DEX) Drift Protocol was the victim of an exploit that stole hundreds of millions of dollars from its vaults. After online reports flagged unusual on-chain activity yesterday afternoon, Drift’s official channels confirmed the attack, quickly suspending deposits and withdrawals.

According to reports, the attack lasted less than 20 minutes and stole around $285 million in multiple assets, including USDC, JPL, USDT, JUP, USDS, WBTC, and WETH, from nearly 20 vaults. This marks the largest crypto exploit of 2026 to date, and one of the largest hacks in the industry, just above WazirX’s $235 million hack.

The hack wiped out half of the Solana-based project’s total value locked (TVL), which fell from roughly $550 million to $252 million, per DeFiLlama data. Drift protocol’s token, DRIFT, also plunged, retracing nearly 40% over the past 24 hours.

Within hours, the exploiter had swapped $270.9 million into USDC, bridged them from Solana to Ethereum via the CCTP TokenMessengerMinterV2, and purchased 129,000 ETH, splitting them across multiple wallets.

In a Thursday post, Drift shared the details of the incident, affirming that “a malicious actor gained unauthorized access to Drift Protocol through a novel attack involving durable nonces, resulting in a rapid takeover of Drift’s Security Council administrative powers.”

Solana’s durable nonces are an advanced mechanism that allows transactions to bypass the typical short expiration date of regular transactions. This enables users to pre-sign transactions for future execution, offline signing, or complex multisig workflows.

“This was a highly sophisticated operation that appears to have involved multi-week preparation and staged execution, including the use of durable nonce accounts to pre-sign transactions that delayed execution,” the post continued.

Malicious Actors Targeting Humans, Not Smart Contracts

The Solana-based DEX emphasized that the exploit was not the result of a bug in Drift’s programs or smart contracts, noting that they found no evidence of compromised see phrases either.

“The attack involved unauthorized or misrepresented transaction approvals obtained prior to execution, likely facilitated through durable nonce mechanisms and sophisticated social engineering,” the project underscored.

Lily Liu, President of the Solana Foundation, addressed the incident, asserting that it is a blow to the whole Solana ecosystem. Liu pointed out that “Smart contracts held up. The real targets now are humans: social engineering and opsec weaknesses more than code exploits.”

Ledger CTO Charles Guillemet linked Drift’s attack method to Bybit’s $1.4 billion hack, which was attributed to North Korean hacking groups. As he explained, the attackers likely compromised several machines belonging to multisig signers through long-term infiltration and misled operators into approving the malicious transactions.

This modus operandi is similar to the Bybit hack last year, widely attributed to DPRK-linked actors. The pattern is becoming familiar: patient, sophisticated supply-chain-level compromise targeting the human and operational layer, not the smart contracts themselves.

Guillemet affirmed that the incident is “yet another wake-up call for the industry” to raise the bar on security. “Ultimately, security is not just about code audits. It’s about giving operators and users the right information at the right time, so they can make informed decisions about what they sign,” he concluded.