Drift Protocol, one of the major perpetual decentralized exchanges (DEX) on Solana, was reportedly exploited on April 2, 2026, with total estimated damages exceeding $270 million. According to on-chain data, this amount is equivalent to more than 50% of the protocol’s total value locked (TVL), marking one of the largest exploits on the Solana.
What happened
The first signs emerged when on-chain data recorded unusual capital outflows from Drift Protocol’s vaults within a very short timeframe. Multiple large transactions were executed consecutively, all directed to a single wallet address: HKgZ4K.
In a post last night, Drift Protocol confirmed that the platform is facing an ongoing attack and has temporarily suspended critical operations to limit damage.
Drift Protocol is experiencing an active attack. Deposits and withdrawals have been suspended. We are coordinating with multiple security firms, bridges, and exchanges to contain the incident. This is not an April Fools joke. We’ll provide additional updates from this account as… https://t.co/03SRPq4fHj
— Drift (@DriftProtocol) April 1, 2026
Messages from the team indicate that the incident was detected almost in real-time, as deposit and withdrawal activities were immediately halted, and the project began coordinating with various stakeholders to control the situation.
Initial reports did not clarify the specific cause of the incident. According to the latest update on X, Drift Protocol stated that the attack did not stem from a smart contract bug, but was related to the attacker gaining unauthorized access to the governance system through Solana’s “durable nonce” mechanism.
Earlier today, a malicious actor gained unauthorized access to Drift Protocol through a novel attack involving durable nonces, resulting in a rapid takeover of Drift’s Security Council administrative powers.
This was a highly sophisticated operation that appears to have involved…
— Drift (@DriftProtocol) April 2, 2026
According to the project, the attacker used pre-signed transactions combined with gathering sufficient signatures from the multisig to execute a malicious admin rights transfer, thereby gaining control over protocol-level permissions. This process is believed to have been prepared for weeks and executed in just minutes.
Fund Flow & Stolen Assets
Similar to previous large-scale DeFi exploits, the attacker executed continuously large transactions within minutes.
The Drift Protocol exploiter is swapping the $270M+ stolen assets into $USDC, then bridging to #Ethereum to buy $ETH. 🚨
So far, they have bought 19,913 $ETH ($42.6M).https://t.co/I0kfOvxqRphttps://t.co/C5nLmNfYsM pic.twitter.com/WesXqfQnsn
— Lookonchain (@lookonchain) April 1, 2026
Specifically, after withdrawing assets from Drift Protocol, the majority of the funds were quickly converted into USDC before being bridged from Solana to Ethereum and subsequently used to purchase ETH. According to Lookonchain, the attacker bought approximately 19,913 ETH (equivalent to about $42.6 million) in the initial stage, then continued to accumulate. Currently, the exploiter’s wallet has nearly completed the conversion of all stolen assets to Ethereum, holding approximately 130,000 ETH, valued at over $270 million.
Drift Protocol appears to have been exploited, with over $270M in assets suspiciously transferred to wallet HkGz4K. 🚨
That’s crazy!https://t.co/iWVPzvDDhx pic.twitter.com/AQCa5q4b3M
— Lookonchain (@lookonchain) April 1, 2026
Notably, about $155 million in JLP — the token representing the system’s liquidity — was part of the total $270 million stolen, indicating that the exploit directly impacted Drift’s core liquidity structure.
Impact: TVL, Price & Users
Drift Total Value Lock chart. Source: DeFiLIama
Before the incident, Drift Protocol’s TVL fluctuated between $500M and $600M. After the exploit, this figure plummeted to approximately $252 million, representing a decline of over 50%. This trend not only reflects the assets directly withdrawn by the attacker but also shows that the remaining capital is leaving the protocol as cautious sentiment grows.
DRIFT price chart (4H). Source: TradingView
Along with the drop in liquidity, the DRIFT token reacted negatively almost immediately, falling about 15%–20% shortly after news of the exploit spread, down to around the $0.45–$0.50 range.
Recently, the Drift Protocol stated that deposits related
DRIFT price chart (4H). Source: TradingView
to borrowing, lending, vaults, and trading activities could all be affected. However, the specific scale of damage for each user group has not yet been announced in detail.
What’s Next
Currently, fund-tracking efforts are focused on the address HKgZ4K on Ethereum, where the bulk of the assets were moved following the exploit.
However, the history of DeFi hacks suggests that the likelihood of asset recovery is often quite low, especially once the attacker has completed the conversion and dispersed the assets through multiple steps.
Drift Protocol stated they are coordinating with security firms, bridges, exchanges, and authorities to track and attempt to freeze the stolen assets.
This event once again shows that security risk remains one of the biggest issues for DeFi, especially as systems become increasingly complex and cross-chain connectivity expands.
