Author: Shenchao TechFlow

April 1, April Fools' Day.

The largest perpetual contract exchange on Solana, Drift Protocol, is being drained, and the community's first reaction is, "Nice April Fools' joke."

This is not a joke. Around 1:30 PM, the on-chain monitoring accounts Lookonchain and PeckShield simultaneously raised alarms: a strange wallet starting with "HkGz4K" is extracting assets from Drift’s treasury at an astonishing speed. The first transaction was 41 million JLP tokens, worth 155 million dollars. Next, 51.6 million USDC, 125 thousand WSOL, 164 thousand cbBTC... dozens of assets gushed out like the water from a bathtub after the plug is pulled.

One hour. The treasury’s assets dropped from 309 million dollars to 41 million. More than half of the TVL evaporated.

The Drift team tweeted on X, with an unusually urgent tone: "Drift Protocol is under active attack. Deposits and withdrawals have been paused. We are coordinating with multiple security firms, cross-chain bridges, and exchanges to control the situation."

Then came the phrase that would be etched in crypto history: "This is not an April Fools' joke."

A key that opens all doors

The numbers regarding Drift's theft vary from different sources. PeckShield estimates about 285 million dollars, Arkham reports over 250 million, and CertiK's initial assessment is around 136 million. But regardless of which number is valid, this is the largest DeFi security incident so far in 2026.

More noteworthy than the numbers is the method of attack.

PeckShield's founder Jiang Xuxian bluntly told Decrypt: The admin key behind Drift "has clearly been leaked or compromised." The attack patterns pieced together by on-chain researchers indicate that the hacker gained privileged access to the Drift protocol, thereby controlling the flow of funds in the treasury.

In other words, there were no clever smart contract vulnerabilities, no flash loan attacks, no oracle manipulation. Just the most primitive and clichéd security failure, someone lost the private key.

Even more unsettling detail: The attacker was not acting on a whim. On-chain data shows that this wallet received initial funding through Near Intents eight days before the attack, and then remained quiet. A week before the attack, it even received a tiny transfer worth 2.52 dollars from the Drift treasury. A test, a "knock on the door."

A week later, the door was kicked open.

The fall of the crypto version of Robinhood

For Drift's co-founder Cindy Leow, the nightmare of April 1 has an especially harsh backdrop.

This Malaysian Chinese entrepreneur's story was once one of the best inspirational narratives in Solana DeFi. Starting in 2016 with Bitcoin arbitrage between China and Korea, involved in proprietary funds, contributed to derivatives projects on Ethereum, and in 2021, co-founded Drift with David Lu, betting on Solana’s speed advantage for on-chain perpetual contracts.

Looking at the timeline, Drift hit almost every wave perfectly. By 2024, it secured two rounds of financing led by Polychain and Multicoin, totaling 52.5 million dollars. Launched a prediction market to challenge Polymarket, introduced 50x leverage, with TVL surpassing 550 million dollars and cumulative trading volume exceeding 50 billion. In an interview with Fortune, Leow described an ambitious positioning: to become the "crypto version of Robinhood."

This metaphor feels bittersweet now. Robinhood’s core promise is to give ordinary people access to Wall Street’s financial tools. Drift’s core promise is to provide users with a "non-custodial" trading experience on-chain, where your money does not pass through anyone's hands, only interacting with code.

But behind the code, there is an admin key. And the safety of this key ultimately relies on people, not cryptography.

There is also a nerve-piercing historical coincidence. In 2022, Drift v1 experienced a treasury draining incident. The team wrote an extremely detailed technical report afterward and even released a piece of proof-of-concept code demonstrating how the attacker emptied the entire treasury in one transaction. The loss from that incident was 14.5 million dollars, and the team compensated users in full out of their own pockets.

Four years later, the same nightmare replays at a scale 20 times larger.

Decentralization belief, centralized Achilles' heel

Pulling back the view from Drift, you will find an uncomfortable pattern taking shape.

In early 2025, Resolv Labs' AWS key management service was breached, and the attacker used privileged keys to approve large-scale USR stablecoin minting operations, triggering cross-platform chain losses. In the same year, the total amount of crypto thefts reached an unprecedented 3.4 billion dollars, and a report by Chainalysis particularly pointed out a trend shift: the most destructive events occur at the infrastructure level. Breached developer machines, single minting keys stored in the cloud, phishing for signature processes, these are the true black holes consuming funds.

Now add Drift to that.

If you line up these cases, there is a conclusion that is almost unavoidable: private key security has replaced smart contract vulnerabilities as the greatest systemic risk in DeFi.

There is a cognitive gap large enough to swallow billions of dollars.

The story that DeFi protocols tell externally is "decentralization," "non-custodial," "trustless." Your assets are custody by code, and no intermediaries can touch your money. Users buy into this narrative, depositing money into these protocols, thinking, "I am dealing with mathematics."

But the reality is, almost every operational DeFi protocol has one or several "God keys," admin keys, upgrade permissions, treasury control rights, emergency pause buttons. The existence of these keys is sometimes for security (to urgently stop in case of problems), and sometimes for flexibility (to upgrade contract logic), but their essence is the same: a centralized trust point wrapped in a decentralized narrative.

Users believe they are interacting with code. In reality, they are trusting one person, or a small group of people, who will not make mistakes, will not be phished, will not be coerced, and will not leave their laptops in cafes at night.

This is not a problem unique to Drift; it is a structural contradiction in the entire DeFi industry.

Where did the 285 million dollars go?

The attacker's on-chain actions were clean and neat, carried out with the calm of a professional.

After extracting assets from Drift’s treasury, the attacker quickly converted most of the tokens into stablecoins, then transferred the funds to the Ethereum network via the Wormhole cross-chain bridge. On Ethereum, the attacker used part of the stablecoins to purchase about 19,913 ETH (valued at approximately 42.6 million dollars), with the remaining funds dispersed to multiple wallet addresses.

There is an absurd detail: the attacker's wallet also held a large amount of Fartcoin, accounting for about 2.5% of the total supply of that token. A hacker who has just completed the largest DeFi heist of the year is holding a bunch of meme coins named after farting.

As of the time of writing, Drift's deposits and withdrawals remain paused. The DRIFT token has fallen from about 0.072 dollars before the attack to around 0.05 dollars, a decline of over 28%. From its historical high of 2.60 dollars, the cumulative decrease exceeds 98%. The Phantom wallet has already issued warnings to users attempting to access Drift.

The Drift team has stated that they are coordinating with security firms, cross-chain bridge operators, and centralized exchanges to attempt to freeze and track the stolen funds. But if history is any reference, the probability of recovering funds transferred across chains and dispersed to multiple wallets is not optimistic.

A problem the industry must face honestly

Drift's knife cut into a wound that the industry is most unwilling to face.

Chainalysis's report at the end of 2025 optimistically stated that DeFi security has made "substantial progress," noting that even if TVL doubles back to 119 billion dollars, DeFi hacker losses are actually decreasing. The case of Venus Protocol was cited as a positive example: the security monitoring system detected anomalies 18 hours before the attack, the protocol quickly paused operations, and the governance mechanism froze the attacker’s funds, leading to the attacker even losing money.

Drift has discounted this "progress narrative." You could audit smart contracts to perfection, deploy cutting-edge on-chain monitoring, but as long as an admin key is compromised by social engineering, phishing, or brute force, all the security infrastructure is like a fortress built on sand.

The DeFi industry needs to stop and honestly answer a question: What do you really mean when you say "non-custodial" to users?

If the protocol's admin key can transfer all the assets in the treasury at any time, how is that different from keeping money in a bank account of someone you don’t know? At least banks have insurance, regulation, and legal recourse.

Perhaps the answer is not to abolish these admin permissions; in many cases, their existence is necessary. But at the very least, the industry should stop pretending they don't exist. Multi-signature governance, time locks, hardware security modules, key rotation... these technical solutions have existed for years, yet far too many protocols hinge the security of hundreds of millions on the vigilance of one or two human operators.

The dream of "crypto version of Robinhood" is beautiful. But before realizing it, perhaps we should first answer a more fundamental question: Who is holding that key?