The $280M Solana Hack Wasn't a Bug. It Was a Feature.

Drift Protocol lost $280M on April 1 through Solana's durable nonces feature. Here's how the attack worked, who's behind it, and what it means for Solana traders.

AlexAlex
April 3, 2026
7 min read
The $280M Solana Hack Wasn't a Bug. It Was a Feature.

$280 million. Gone in 12 minutes. On April Fools' Day, no less.

Drift Protocol, one of Solana's biggest decentralized exchanges (a platform where you can trade crypto without a middleman), got drained on Tuesday. Not because of a bug in the code. Not because someone cracked a private key. Because the attacker used a legitimate Solana feature exactly the way it was designed to work.

That feature is called "durable nonces." And if you've never heard of it, you're about to learn why it matters.

A cracked digital vault with streams of data flowing out into darkness, representing the Drift Protocol exploit

What Is Drift Protocol?

Drift is a perpetual futures exchange on Solana. Think of it as a platform where traders can bet on whether crypto prices will go up or down, with leverage (borrowed money that amplifies your gains or losses). Before the attack, it held around $550 million in user deposits.

It was one of the anchors of Solana DeFi (decentralized finance, the ecosystem of apps that let you borrow, lend, and trade without banks). The key word here is "was."

What Actually Happened

Here's the timeline, and it reads like a heist movie.

March 11: The attacker withdrew 10 ETH from Tornado Cash (a service that makes crypto transactions untraceable). They deployed a fake token called CarbonVote Token. TRM Labs later noted this happened around 09:30 Pyongyang time, which is not a coincidence.

March 23: Four "durable nonce" accounts were created on Solana. Two belonged to legitimate Drift Security Council members. Two were controlled by the attacker.

March 23 to March 30: The attacker social engineered (tricked) two of Drift's five Security Council members into pre-signing transactions. Those signatures stayed valid indefinitely, waiting to be used.

April 1, around 6:00 PM UTC: Drift ran a routine test withdrawal from its insurance fund. One minute later, the attacker submitted the pre-signed transactions. Two transactions, four slots apart on the blockchain, were enough to take over the entire protocol's admin controls.

From there, 31 withdrawal transactions in roughly 12 minutes. Vaults emptied. $280 million bridged out.

How Durable Nonces Made This Possible

This is the part that should concern every Solana user.

Normally, Solana transactions expire fast. Every transaction includes a "recent blockhash," a timestamp that proves the transaction is fresh. That blockhash expires after about 60 to 90 seconds. If you don't submit the transaction in that window, it dies. That's a safety feature: old transactions can't be replayed.

Durable nonces override that safety. They replace the expiring blockhash with a fixed code that stays valid indefinitely until someone submits it.

The feature exists for a good reason. Institutions need to sign transactions in advance and submit them later. Cold storage wallets need time to move funds through multiple approval layers. Hardware wallets in air-gapped environments need flexibility.

But here's the problem: by separating when you sign from when you execute, you create a gap. The attacker got Security Council members to sign something that looked routine. Then they waited over a week before actually using those signatures for something completely different.

It's like getting someone to sign a blank check, then filling in the amount later.

Where the Money Went

According to security researcher Vladimir S., the stolen assets broke down like this:

The largest chunk was $155.6 million in JLP tokens (Jupiter's liquidity provider token). After that: $60.4 million in USDC, $11.3 million in CBBTC, $5.65 million in USDT, $4.7 million in wrapped ether, $4.5 million in DSOL, $4.4 million in WBTC, and $4.1 million in FARTCOIN. Yes, FARTCOIN.

The attacker converted most of it to USDC, bridged it from Solana to Ethereum, and purchased roughly 130,000 ETH. Funds were routed through NEAR, Backpack, Wormhole, and Tornado Cash.

Who Did This?

TRM Labs, a blockchain analytics firm, published a report pointing to North Korean state hackers. The evidence: Tornado Cash staging patterns, the Pyongyang-time deployment window, cross-chain bridging techniques, and the speed of post-hack laundering.

All of it "aligns closely with techniques observed in prior DPRK-attributed hacks including the Bybit exploit of 2025," according to TRM. That Bybit hack was $1.4 billion, the largest crypto theft in history. Same playbook, smaller scale.

Elliptic, another blockchain analytics firm, confirmed the suspected DPRK link independently.

If true, this is the second-largest Solana exploit in history, behind only the $326 million Wormhole bridge hack in 2022.

The Damage

The DRIFT token cratered over 40% after disclosure. TVL collapsed from roughly $550 million to under $250 million. That's the theft plus panicked withdrawals from users who still could access their funds.

Drift immediately paused deposits, withdrawals, and all trading. They removed the compromised wallet from the multisig, launched a program upgrade to reclaim admin authority, and brought in multiple security firms.

But here's what they said about recovery: "the likelihood of asset recovery is often quite low." Historically, state-sponsored hackers don't give money back.

Multiple other Solana protocols with exposure to Drift liquidity or strategies paused operations or began assessing their own losses. The shockwave hit about a dozen protocols.

Why This Matters Beyond Drift

This wasn't a smart contract bug. Code audits wouldn't have caught it. The attack exploited the gap between how multisig governance works and how durable nonces interact with it.

That means every Solana protocol running a multisig with durable nonces enabled has the same theoretical vulnerability. The fix isn't a code patch. It requires changing how teams handle pre-signed transactions, adding time locks, requiring fresh context verification before execution.

Solana's DeFi ecosystem was already showing stress before this. Network fees dropped 42% quarter-over-quarter heading into Q2 2026. DEX volumes fell to $55.5 billion in March, the lowest since September 2024.

And in the last 7 days, Drill tracked 597 new token launches across Solana. The hard rejection rate (tokens flagged for critical security failures) was 87%. The selection rate, tokens that passed all filters, was 5.7%. The ecosystem is quiet, quality is thin, and now trust in the infrastructure layer just took a massive hit.

What You Should Do

If you had funds in Drift: Check Drift's official channels for updates on their recovery plan. Deposits into borrow/lend products, vault deposits, and trading funds were affected. DSOL not deposited into Drift (including assets staked to the Drift Validator) was not affected.

If you use any Solana DeFi protocol: Ask the team how they handle multisig governance. Do they use durable nonces? What time locks exist? How many signers are required? These aren't paranoid questions anymore. They're baseline due diligence.

If you're trading memecoins on Solana: The memecoin market itself wasn't directly hit. Pump.fun, Raydium, and Jupiter still function. But ecosystem trust affects everything. When a $550M protocol gets emptied overnight, the ripple effects touch liquidity, confidence, and where capital flows next.

The Bigger Picture

North Korean hackers stole $1.4 billion from Bybit in 2025. Now potentially $280 million from Drift in 2026. The pattern is accelerating, and the targets are moving from centralized exchanges to DeFi protocols.

The attack vector is shifting too. This wasn't about finding a code flaw. It was about understanding how governance works and exploiting the human layer. Two signatures, obtained through social engineering, were enough to take $280 million.

→ Related: How to Spot a Rugpull: 5 Warning Signs

→ Related: What Is Bundle Sniping? How Insiders Buy Before You Do

Real talk: code can be audited. Smart contracts can be formally verified. But the governance layer, the humans who hold the keys, that's the soft underbelly of every DeFi protocol. And until the industry figures out how to harden that layer, the $280 million question isn't whether this will happen again. It's when.

Sources

  1. How a Solana feature designed for convenience let an attacker drain more than $270 million from Drift (CoinDesk)
  2. North Korean Hackers Attack Drift Protocol In $285 Million Heist (TRM Labs)
  3. Drift Protocol Hacked Over $270M, Wiping Out 50% of Its TVL (NFT Evening)
  4. Drift Protocol Hit by $285M Exploit: Crypto's Biggest Hack of 2026 (CCN)
  5. Drift Protocol exploited for $286 million in suspected DPRK-linked attack (Elliptic)
  6. Solana DeFi platform Drift investigates suspicious activity (CoinDesk)
  7. Drill.meme data, March 27 to April 3, 2026
Tags: #solana #drift protocol #hack #defi security #durable nonces

Related Articles

7 min read
Mar 6, 2026

Japan's PM Just Denied a Memecoin Named After Her. It Crashed 75%.

Japan's Prime Minister Takaichi disavowed the Solana-based Sanae Token, crashing it 75%. Here's what happened, why it matters, and what memecoin traders should learn.

6 min read
Mar 7, 2026

Pump.fun Just Became Way More Than a Launchpad

Pump.fun now lets you trade tokens from Raydium, Meteora, and more. Here's what changed, why it matters, and what memecoin traders should know.