The Human Attack Surface

On April 1, an attacker drained $285M from Drift Protocol on Solana. It was the largest DeFi exploit of 2026 and the second-largest in Solana's history, behind only the $326M Wormhole bridge hack in 2022. The funds were bridged to Ethereum within hours. No code was broken. No smart contract had a bug.

Instead, the attacker manufactured a fake token, tricked two multisig signers into pre-signing hidden authorizations, and used a legitimate Solana feature to keep those signatures valid indefinitely. The entire drain took 12 minutes. The setup took six months.

Building Trust, Then Breaking It

Starting in fall 2025, individuals posing as a quantitative trading firm approached Drift contributors at multiple international crypto conferences. They were technically fluent, had verifiable professional backgrounds, and were familiar with how Drift operated. They met in person across several countries over six months, building relationships with specific contributors under the pretext of integrating with the protocol.

The individuals who appeared in person were not North Korean nationals. DPRK threat actors at this level are known to deploy third-party intermediaries for face-to-face relationship-building. Blockchain security firms Elliptic and TRM Labs have since attributed the attack to UNC4736, a state-sponsored unit also tracked as AppleJeus and Citrine Sleet, with fund flows tracing back to the October 2024 Radiant Capital hack.

The Mechanics: Fake Collateral, Real Withdrawals

The technical execution combined three elements that individually seem manageable but together proved devastating.

A fabricated token. On March 11, the attacker withdrew 10 ETH from Tornado Cash and used it to deploy CarbonVote Token (CVT) on Raydium with roughly $500 in seeded liquidity. Over the following weeks, wash trading generated a credible price history. Drift's Switchboard oracle feed began reporting CVT as a legitimate asset.

A governance hijack. The attacker used the social engineering relationships to induce two of Drift's five Security Council multisig signers into pre-signing transactions that appeared routine but carried hidden authorizations for critical admin actions. These included listing CVT as a valid collateral market and raising withdrawal limits to extreme levels. Drift's initializeSpotMarket function allows the admin to directly specify oracle address and source parameters, meaning even a token with no Pyth feed could be listed with an arbitrary oracle as long as admin privileges were secured.

Durable nonces. On Solana, transactions normally expire after about 90 seconds if not included in a block. Durable nonces override this by replacing the expiring blockhash with a fixed one-time code stored on-chain, keeping the transaction valid indefinitely. On March 23, four durable nonce accounts were created: two associated with legitimate Security Council members, two controlled by the attacker. The pre-signed authorizations sat dormant for nine days.

On April 1, the attacker submitted those pre-signed transactions. Two transactions, four slots apart, were enough to create and approve a malicious admin transfer, then approve and execute it. CVT was listed. Withdrawal limits were raised. The attacker deposited hundreds of millions of CVT as collateral, and Drift's oracles valued it at face. Thirty-one rapid withdrawals followed, draining USDC, JLP, and other real assets in roughly 12 minutes.

The Aftermath

The contagion spread to more than 20 protocols with Drift exposure. The hacker used Circle's cross-chain transfer protocol (CCTP) to bridge approximately $232M in USDC from Solana to Ethereum. Blockchain investigator ZachXBT criticized Circle for not freezing the stolen funds during a six-hour window after the attack began. Circle responded that it freezes assets when legally required, highlighting the tension between acting quickly and avoiding overreach without court orders.

As of April 7, Drift has not announced a formal compensation program. Deposits and withdrawals remain suspended.

What This Tells Us

The Drift exploit is a social engineering attack that happened to target a smart contract protocol. The code did exactly what it was told. The oracle reported what it observed. The multisig executed what was signed. Every component worked as designed. The failure was in the trust layer sitting above all of it.

Three design choices made the attack possible.

1. Zero-timelock governance. Drift's Security Council migration had no timelock, meaning admin changes could take effect immediately. A 24- or 48-hour delay would have given the community time to detect and cancel the malicious transactions before execution.

2. Oracle permissiveness. Drift's initializeSpotMarket function accepted arbitrary oracle sources specified by the admin. A manufactured token with $500 in seeded liquidity was treated the same as USDC or SOL. No minimum liquidity threshold, no oracle diversity requirement, no sanity check on collateral listings.

3. Durable nonces as a governance weapon. Solana's durable nonces are a convenience feature designed for offline signing and scheduled transactions. In this context, they became a way to stockpile signed admin authorizations and deploy them at will. The feature itself is not the problem. The absence of protocol-level defenses against indefinitely valid governance transactions is.

The broader lesson is uncomfortable. DeFi security audits focus almost exclusively on smart contract code. But Drift's contracts were not the vulnerability. The vulnerability was a five-person multisig where two signatures could be socially engineered over coffee at a conference, then held in stasis for weeks using a standard Solana feature. No audit catches that.

As nation-state actors become regular participants in DeFi exploitation, the attack surface is no longer just the blockchain. It is the people who control the keys.

• yoUSD ($40M TVL) continues as the largest vault with a steady 5.09% base APY (7d). Top allocations shifted toward Morpho Sentora PYUSD (25.13%) and Morpho Sentora RLUSD (21.33%), with Aave sGHO taking a larger 20.56% share. The vault still carries a 3.04% allocation to Resolv RLP at 0.00% yield due to frozen redemptions. Merkl reward boost at 12%.

• yoETH (7,023 ETH TVL) posted a 2.91% base APY (7d), down from 4.01% the prior week. Lido stETH allocation increased to 31.06%. A new 10.52% allocation to Morpho Steakhouse Prime ETH on Monad signals the vault's first deployment on the new chain. Merkl reward boost at 8%.

• yoBTC (124.52 cbBTC TVL) yields 1.11% (7d), essentially flat. Across WBTC remains dominant at 45.26%. StakeDAO tBTC-cbBTC increased to 27.55%. Merkl reward boost at 8%.

• yoEUR (1.36M EURC TVL) posted 2.66% (7d), up from 1.96% the prior week. The allocation shifted from a Fluid/Morpho kpk split to a concentration in Morpho kpk EURC (45.29%) and Morpho Steakhouse Prime EURC (32.72%). Merkl reward boost at 8%.

Catch our co-founder and CIO, Mehdi Lebbar’s presentation at Vault Summit last week 👇

yoSOL is ramping nicely, recently crossing $1M TVL 📈

Trending on CT: Are DeFi rates too low for the risk involved? 🤔