A fake token, a compromised admin key, and a months-long social-engineering campaign added up to the biggest Solana exploit since Wormhole — and put the ecosystem's biggest perp DEX on life support.
On April 1, Solana's biggest decentralized perpetuals venue, Drift Protocol, opened a maintenance window for what was supposed to be a routine oracle adapter upgrade. Forty-five minutes later, $285 million in user deposits was gone — and the Drift core team was staring at a code path that the attackers had been waiting to trigger for months.
| Element | Detail |
|---|---|
| Loss | ~$285 million (ETH, SOL, USDC, BTC) |
| Attack window | ~22 minutes |
| Initial vector | Pre-signed authorization via compromised admin key |
| Exploit mechanism | Fake token used to manipulate oracle price feed |
| Suspected actor | DPRK-linked TraderTraitor (Elliptic, Halborn) |
| TVL before / after | $1.3B / $0.4B |
Beginning in late 2025, attackers impersonating prospective Series B investors initiated conversations with multiple Drift team members over Telegram and Signal. One engagement progressed to a staged due-diligence exercise that asked engineers to sign transactions "to validate their wallet configuration."
The signatures they produced were not validations. They were pre-signed authorizations that could be triggered at will, weeks or months later — effectively giving a third party full administrative control over Drift's oracle adapter. The attackers sat on those authorizations for nearly four months, according to Halborn.
"The industry has gotten materially better at smart-contract security. Attackers have responded by moving up the stack, into the soft targets: people, infrastructure, admin keys."
— Ronghui Gu, Co-founder, CertiKOn the morning of April 1, a freshly minted fake token — its metadata carefully crafted to match the oracle registry's formatting — was registered against a bespoke price feed the attackers controlled. A burst of trades pushed its quoted price from a fraction of a cent to roughly $900. Drift's cross-margin engine, believing a wallet holding that token was enormously solvent, extended vault-draining borrow lines. In less than half an hour, attackers swept all five vaults.
The Drift attack had two exploitable moments: the pre-signed authorization stage, and the oracle registration stage. A pre-signature policy engine enforcing three rules would have caught both: (1) any oracle adapter modification requires time-locked multi-party authorization; (2) any new token registration from a zero-history wallet triggers a hold for human review; (3) any vault withdrawal sequence exceeding a configurable percentage of TVL within a defined window requires multi-sig escalation. Web3Firewall's policy engine enforces exactly these controls before transactions reach the blockchain. The technical capability to prevent the Drift drain existed on April 1. The protocol simply was not running it.
TVL collapsed from $1.3 billion to $400 million within seventy-two hours. A reimbursement plan funded by treasury reserves, a new DRIFT token emission, and a five-year protocol-revenue haircut is being put to governance. The team is replacing its admin-key scheme with hardware-enforced MPC and moving its oracle adapter behind a time-locked council.
Real crypto news, market data, and analysis — free to your inbox every weekday at 7am.
No spam. Unsubscribe anytime. Sent to admin@coinhubtoday.com
The definitive source for cryptocurrency news, market data, press releases, and product reviews — trusted by professionals worldwide.
CoinHub Today is an independent media organisation and does not provide investment, financial, or legal advice. All content is for educational purposes only. Cryptocurrency investments involve substantial risk. Past performance is not indicative of future results. Always consult a qualified financial adviser before investing.