A $280 million exploit on Drift Protocol has emerged as one of the largest decentralized finance (DeFi) breaches to date. The scale of the loss raises immediate concerns about governance-layer security across high-value protocols.
Drift disclosed that the attack targeted its administrative controls rather than smart contracts, according to a statement published Thursday. The Solana-based trading platform said a malicious actor gained access through a “highly sophisticated” operation involving durable nonce accounts and pre-approved multisig transactions. The attacker then escalated privileges, introduced a malicious asset, and removed withdrawal limits to extract funds.
Earlier today, a malicious actor gained unauthorized access to Drift Protocol through a novel attack involving durable nonces, resulting in a rapid takeover of Drift’s Security Council administrative powers.
— Drift (@DriftProtocol) April 2, 2026
This was a highly sophisticated operation that appears to have involved…
How Did Attackers Bypass Drift’s Governance Controls?
The exploit highlights a growing attack vector focused on governance infrastructure rather than code vulnerabilities. Drift confirmed that neither its smart contracts nor seed phrases were compromised, pointing instead to social engineering or transaction misrepresentation as likely entry points. Total value locked (TVL) on the platform exceeded $550 million prior to the incident, according to DeFiLlama, meaning roughly half of protocol assets were impacted.
Affected assets included JLP, SOL, USDC, cbBTC, and wBTC, with all major deposit functions compromised. Drift has since frozen protocol operations and replaced the affected multisig wallet, while coordinating with exchanges, bridges, and law enforcement to track the stolen funds. But, can governance systems evolve quickly enough to prevent similar privilege escalation attacks?
The incident also triggered criticism of stablecoin issuer Circle. Onchain investigator ZachXBT said more than $230 million in USD Coin (USDC) tied to the exploit was bridged from Solana to Ethereum via Circle’s Cross-Chain Transfer Protocol (CCTP) without timely intervention.
“Value was moved and nothing was done yet again,” ZachXBT wrote, adding that Circle had a six-hour window to freeze funds.
Update: $230M+ USDC bridged via CCTP from Solana to Ethereum across 100+ txns.
— ZachXBT (@zachxbt) April 2, 2026
6 hours is how long Circle had to freeze stolen funds from the $280M+ Drift hack.
Circle is a centralized stablecoin issuer headquartered in New York and the attack began around 12 pm ET.
Why does… pic.twitter.com/v9OKxeOJHN
The episode renews scrutiny around centralized controls in ostensibly decentralized systems, particularly as stablecoin issuers retain the ability to freeze assets, making response times and policy consistency a key risk factor to monitor in future exploits.
