Drift exploit drains $200M on Solana

Drift Protocol said on April 16 that it was still investigating an April 1 exploit with law enforcement and third-party forensics firms, after an attack on the Solana-based trading platform led to what the company described as $295 million in outstanding user losses. CoinMarketCap reported earlier that estimated losses were at least $200 million and that some on-chain data put the figure closer to $270 million. The exploit hit one of Solana’s largest decentralized derivatives venues and triggered immediate market fallout. CoinMarketCap said the DRIFT token fell more than 20% in the hours after the breach was first reported, while Solana dropped to a local low of $83.82. CoinMarketCap’s historical data page shows SOL traded between $87.66 and $84.04 on May 22 and closed at $84.31. (drift.trade) ### How large was the breach, and why do estimates differ? Drift said on April 16 that the recovery framework was designed to address $295 million in outstanding user losses over time as exchange revenue grows. That figure is higher than the roughly $200 million estimate cited in early reports and reflects the company’s later accounting of affected users and assets. CoinMarketCap reported that the exploit began more than two hours before Drift posted its public alert and that on-chain trackers saw more than $250 million move from Drift to an interim wallet before being split across multiple addresses. (coinmarketcap.com) The report said some on-chain estimates placed total losses closer to $270 million. ### What did investigators and on-chain analysts say happened? (drift.trade) CoinMarketCap reported that blockchain security researcher Vladimir S said the most likely cause was a compromised admin signer key. According to that report, the attacker used that access to drain multiple Drift vaults, including JLP Delta Neutral, Solana Super Staking and Bitcoin Super Staking. (coinmarketcap.com) A single transfer of 41.7 million JLP tokens was worth about $155 million, CoinMarketCap said. The report also said other drained assets included Solana, USDC, cbBTC and wBTC, based on SolScan data. ### Where did the stolen funds go after leaving Drift? CoinMarketCap reported that Lookonchain found the attacker converting stolen funds into USDC through Jupiter, a Solana-based decentralized exchange aggregator. (coinmarketcap.com) The report said those stablecoins were then bridged to Ethereum and used to buy Ether. By 5:45 p.m. UTC on the day of the attack, the attacker held about 19,913 Ether worth roughly $42 million, according to CoinMarketCap’s account of on-chain data. (coinmarketcap.com) The same report said the main exploiter wallet had been created eight days before the attack and remained inactive until about 18 hours before the breach. ### What has Drift promised affected users? (coinmarketcap.com) Drift said it had secured a proposed collaboration with Tether and other partners to support user recovery, including up to $127.5 million from Tether and another $20 million from other partners. The package includes a $100 million revenue-linked credit facility, an ecosystem grant and loans to market makers, according to the company’s April 16 update. (coinmarketcap.com) The company also said it planned to issue a separate recovery token for users affected by the April 1 exploit. Drift said any recovered funds would be contributed to a dedicated recovery pool. ### What has to happen before the protocol relaunches? Drift said relaunch of the protocol depends on two independent audits, one by Ottersec and one by Asymmetric, along with broader operational security changes. (drift.trade) The company also said it would introduce a new community-governed multisig to manage core protocol assets. Drift said on April 16 that it expected to share additional details on recovery and relaunch as they became available. (drift.trade) The next public milestones are those community updates, the completion of the two audits and the rollout of the new multisig structure, according to the company.