There’s a new type of attack showing up in crypto. Most hacks follow a familiar script. A bug gets exploited, keys get stolen, or something breaks. This one didn’t. Instead, it used systems exactly as they were designed to work. That’s what makes the Drift Protocol incident so uncomfortable. Over $280 million was drained, and nothing technically failed.
The How
This wasn’t a one-day exploit. It was a long, deliberate setup. Months before anything happened on-chain, a group posing as a legitimate trading firm began embedding themselves into the Drift ecosystem. They attended conferences, joined calls, asked thoughtful questions, even deposited over $1 million of their own capital to appear legitimate and build trust. Over time, they built genuine relationships with contributors and became part of the network. By the time anything looked unusual, they weren’t outsiders anymore, they were trusted.
At the same time, they were quietly preparing the attack. They created a token called CarbonVote Token, or CVT, and made it appear legitimate. It had a price, trading activity, and liquidity, but all of it was controlled. By seeding a small pool and trading between their own wallets, they manufactured a price of around $1. From the system’s perspective, it looked like a real asset with a functioning market.
The turning point came with a Solana feature called “durable nonces”. While technical in name, the concept is simple. It allows a transaction to be signed in advance and executed later, sometimes days or even weeks after the original approval. In most cases, this is a useful feature. In this case, it became the core of the attack.
At some point during their interactions, the attackers got members of Drift’s Security Council to sign transactions they didn’t fully understand. These transactions appeared routine and didn’t raise immediate concerns, but they contained hidden instructions that would later transfer control of the protocol. After being signed, they sat unused for days, effectively waiting for the right moment.
The Execution
That moment came on April 1. The attacker executed the pre-signed transactions and gained full administrative control within seconds.
There were no alarms or failed checks because everything had been signed by authorised parties. From the system’s perspective, these were legitimate actions.
Once control was established, the rest unfolded quickly. The attacker whitelisted their fake CVT token as collateral, adjusted risk parameters, and removed key limits. They then deposited hundreds of millions of dollars’ worth of CVT, at least according to the system’s pricing. Because the protocol believed this collateral was real, it allowed the attacker to borrow against it. Real assets began flowing out, including USDC, SOL, and ETH, and within a short window, roughly $280 million had been drained.
From there, the funds were rapidly moved. Assets were swapped, bridged off Solana, and split across multiple wallets. The speed and coordination made it difficult to intervene in real time. The impact also spread beyond Drift itself, with more than 20 connected protocols reporting exposure, pauses, or losses. This is one of the realities of DeFi, where interconnected systems can amplify both growth and risk.
The instinct after an event like this is to ask what broke, but in this case, nothing did. The multisig worked as intended, governance processes were followed, and every transaction was valid. That’s what makes this incident different. It wasn’t a failure of code, but a failure of trust.
There are a few clear takeaways. Blind signing remains one of the biggest risks in crypto. If a transaction isn’t fully understood before approval, it introduces a level of trust that can be exploited. More broadly, risk is no longer confined to smart contracts. It exists in governance structures, operational processes, and human decision-making.
Perhaps most importantly, a transaction being valid does not mean it is safe. If there’s one thing to take from this, it’s that systems don’t always need to be hacked to be compromised. Sometimes, they just need to trust the wrong participant.
So, how does this compare?
The Drift Exploit is now one of the largest hacks in crypto history. Between 2014 to 2026, there have been 10 major hacks with a combined $5.60 Billion (USD) funds affected.
Stay Safe
This wasn’t a technical failure. It was a trust failure. The people signing these transactions weren’t careless. They were convinced. Take a moment before you approve anything. If you don’t fully understand what a transaction does, don’t sign it. No matter how routine it looks.
Be cautious with new tools, apps, and integrations, even if they come from people you’ve spoken to or worked with. As this shows, trust can be built over weeks or months and still be exploited.
And remember, once something is signed and executed on-chain, there’s no undo button. In this case, everything was approved. That’s what made it possible.
Stay sharp.
