285 million was drained in 12 minutes, not because of a bug, but because the system trusted humans more than it should have.

On April 1, 2026, Drift Protocol, the largest perpetual DEX on Solana, was exploited for $285M. The protocol had around $550M in total value locked before the attack, and more than half of that was effectively wiped out in minutes.

The important part is this: nothing was broken at the code level. There was no smart contract bug. The system behaved exactly as designed.

The attackers spent roughly six months building access. They approached contributors in late 2025 posing as a legitimate trading firm, attended real conferences, held technical discussions, and even deployed over $1M into the ecosystem to appear credible. Over time, they gained trust and introduced malicious tools through shared code repositories and fake applications. This allowed them to compromise the devices of contributors connected to governance.

From there, they targeted the governance layer instead of the code.

Drift used a 2-of-5 multisig with no timelock, meaning any two signers could approve administrative actions instantly. The attackers exploited this by getting signers to approve transactions in advance using a Solana feature called durable nonces, which allows a signed transaction to remain valid indefinitely. These approvals were collected weeks before the exploit and could not be revoked later.

At the same time, the attackers created a fake token called CVT. They minted 750 million tokens, added minimal liquidity, and used wash trading to make it appear like a real $1 asset. The protocol’s oracle system accepted this pricing as valid because there were no strict liquidity or validation checks in place.

When everything was ready, the execution took about 12 minutes.

They used the pre-approved transactions to take control of governance, listed the fake token as collateral, manipulated its price through their own oracle, and raised withdrawal limits to effectively remove all risk controls. Then they deposited the fake collateral and borrowed real assets against it across multiple vaults.

A total of 31 transactions drained around $285 million in assets including USDC, ETH, SOL-based tokens, and others.

Within hours, the funds were moved across chains. The attackers swapped assets to USDC, bridged over $200M to Ethereum through more than 100 transactions, converted it into roughly 129,000 ETH, and split the funds across multiple wallets.

The attack was linked to the Lazarus Group, which has stolen over $6B from crypto ecosystems in recent years.

This was not a failure of blockchain technology. It was a failure of governance design, human trust.

It was a combination of:

• Long-term social engineering
• Pre-approved governance access
• Fake collateral that passed system checks
• Immediate execution with no delay safeguards