On April 1, 2026, Drift Protocol, one of the largest decentralized perpetual exchanges (perp DEX) in the Solana ecosystem suffered a major security breach resulting in losses of nearly $278.5 million, equivalent to approximately IDR 4.2 trillion.

This incident quickly became one of the largest DeFi hacks of 2026 and sparked serious concerns regarding governance security in Solana-based protocols.

Overview of Drift Protocol

Drift Protocol is a decentralized derivatives exchange built on Solana, offering a range of non-custodial trading instruments, including:

• Perpetual futures with leverage up to 101x
• Spot trading and asset swaps
• Lending and borrowing features
• Cross-margin system for capital efficiency
• High liquidity with fast execution

As a key protocol within the Solana ecosystem, Drift is known for its active user base and significant Total Value Locked (TVL).

Attack Timeline

Based on initial reports from the Drift Protocol team, the attack was executed in several stages:

March 23, 2026
The attacker created four durable nonce accounts, including two linked to the multisig structure.

March 27, 2026
Drift carried out a Security Council migration (change of members).

April 1, 2026 (~11:00 UTC)
A small withdrawal transaction from the insurance fund occurred and appeared legitimate.

Escalation Phase (minutes later)
The attacker executed two pre-signed durable nonce transactions to gain administrative control.

Exploitation Phase

• Added malicious assets (tokens)
• Removed withdrawal limits
• Drained all vaults in less than one hour

The total affected funds included various assets such as USDC, SOL, JLP, and several wrapped assets.

Exploiter Address and Fund Tracking

Blockchain analytics platform Arkham Intelligence has identified and tracked the movement of stolen funds in real-time.

Main attacker address on Solana:

HkGz4KmoZ7Zmk7HN6ndJ31UJ1qZ2qgwQxgVqQwovpZES

This wallet received the majority of funds directly from Drift Protocol vaults.

Arkham link:
https://intel.arkm.com/explorer/address/HkGz4KmoZ7Zmk7HN6ndJ31UJ1qZ2qgwQxgVqQwovpZES

Destination addresses on Ethereum:
The funds have been transferred and converted into ETH and stablecoins, distributed across the following addresses:

0x0FE3b6908318B1F630daa5B31B49a15fC5F6B674

0xD3FEEd5DA83D8e8c449d6CB96ff1eb06ED1cF6C7

0xbDdAE987FEe930910fCC5aa403D5688fB440561B

0xAa843eD65C1f061F111B5289169731351c5e57C1

Arkham noted that nearly all assets have been swapped and bridged across chains, a common pattern used to obscure transaction trails.

Current Status

As of April 2, 2026, Drift Protocol has taken several mitigation steps:

• All deposit and withdrawal activities have been suspended
• The protocol is currently frozen
• An investigation is underway with security firms and industry partners
• Coordination is being conducted with multiple parties, including major exchanges
• The insurance fund has been secured
• User assets outside the protocol (e.g., staking) are reported to be unaffected

The team stated that a full postmortem report will be released soon.

Following the incident, the DRIFT token dropped by approximately 11%, reflecting market concerns over security risks, although the situation is still evolving.

Not a Smart Contract Vulnerability

In its initial statement, the Drift team emphasized that the incident was not caused by a smart contract bug, but rather by:

• Compromise of 2 out of 5 multisig signers
• Exploitation of the durable nonce mechanism
• Strong indications of social engineering

These findings once again highlight that the greatest risks in DeFi often lie in operational and governance layers, rather than purely in code.