Drift loses $280 million as hackers seize its security council powers

Drift Protocol has disclosed a dramatic security breach that drained approximately $280 million after an attacker seized broad administrative powers within its Security Council. The incident did not stem from a flaw in Drift’s code or a compromised seed phrase, the platform stated, but from a meticulously planned takeover of governance controls.

The attack unfolded through a carefully staged sequence that began well before any funds moved. Between March 23 and March 30, the attacker established durable nonce accounts and maneuvered to secure the necessary approvals from the Security Council, obtaining 2 of 5 required signatures to meet the threshold for action. With these preparations in place, the intruder pre-signed a set of malicious transactions, designed to sit idle until execution at a precisely chosen moment. This approach allowed the attacker to avoid immediate detection while laying the groundwork for a rapid, coordinated strike.

On April 1, the operator carried out a legitimate transaction, then immediately triggered the pre-signed malicious transactions. In a matter of minutes, control of the protocol’s admin functions shifted to the attacker. Once in control, the adversary introduced a malignant asset, removed withdrawal limits, and ultimately drained funds from the platform’s various pools. This sequence — gaining elevated access, executing pre-approved harmful actions, and disabling critical controls — culminated in a liquidity and funds crisis for Drift and its users.

Estimates of the losses vary slightly among observers. Drift Protocol itself places the figure at around $280 million, while blockchain-tracking firm PeckShield has pegged losses at roughly $285 million. As the unusual behavior drew attention, Drift issued a public warning, informing users that an investigation was underway and urging them not to deposit additional funds until further notice. In the aftermath, borrow and lend deposits, vault deposits, and trading funds were affected, and the protocol’s operations effectively froze. Drift stressed that its DSOL token was unaffected and that the insurance fund assets remained secured.

In response, Drift has engaged with security firms, cryptocurrency exchanges, and law enforcement authorities to trace and attempt to freeze the stolen assets. The firm also committed to publishing a detailed post-mortem in the coming days to provide a comprehensive account of the incident, its timeline, and the actions taken in the immediate wake of the breach.

Drift Positioning and ContextDrift Protocol operates as a decentralized, non-custodial trading venue built on the Solana blockchain. It aims to give users full control of their funds as they interact with on-chain markets. Prior to the incident, Drift publicly highlighted its scale and growth. By late 2024, the project claimed it had around 200,000 traders, with total trading volumes exceeding $55 billion and peak daily volumes around $13 million. These figures reflected a platform that had established itself as a significant player in the Solana ecosystem, with a broad user base and substantial on-chain activity.

The breach underscores the complexity and risk inherent in governance-enabled DeFi platforms. Even when code and seed phrases are secure, the governance layer — particularly privileged administrative controls like those managed by a multisignature Security Council — can become a critical single point of failure if not designed, monitored, and audited with the utmost rigor. In Drift’s case, the attacker’s strategy leveraged governance mechanics rather than a direct software flaw, illustrating how threat actors may pivot toward operational surfaces such as authorization workflows, nonce management, and timely transaction execution to maximize impact.

What happens next remains to be seen. The post-mortem promised by Drift will be closely analyzed for insights into governance risk, incident response, and fund recovery strategies. The ongoing collaboration with security firms, exchanges, and law enforcement suggests a multi-pronged effort to locate and potentially recover stolen assets, as well as to shore up defenses against similar threats in the future. While some of the platform’s functionality is currently suspended, the priority appears to be containment, transparency, and a clear account of the sequence of events that enabled the breach.

As the industry digests this event, Drift’s experience serves as a high-profile reminder of the importance of robust governance procedures, meticulous monitoring of privileged accounts, and rapid, coordinated responses to anomalous activity. In the volatile landscape of decentralized finance, where the line between administration and on-chain execution can be razor-thin, the integrity of security councils and the speed with which a platform can diagnose and contain a breach may determine whether users retain trust or move on to alternatives. The coming days will reveal the full extent of the incident, the eventual financial ramifications, and the lessons that audits, operators, and investors will carry forward from this landmark case.