How Solana's Largest Perp DEX Was Exploited for $285 Million

Podcast: Unchained
Host: Laura Shin
Guest: Omer Goldberg (Founder & CEO, Chaos Labs)
Date: April 4, 2026

Episode Overview

This episode of Unchained dives into the $285 million hack of Drift Protocol—the largest decentralized perpetual futures exchange on Solana. Laura Shin and Omer Goldberg conduct a forensic breakdown of the multilayered attack, explore its chilling sophistication, discuss the implications for DeFi security, analyze community and industry responses, and debate what this means for the future of decentralized finance.

Key Discussion Points & Insights

1. Anatomy of the Drift Protocol Hack

• Scale & Impact

  • Drift Protocol's TVL was about $500 million before the hack; over half was drained.
  • Catapults Drift into the top 10 DeFi hacks ever and the largest of 2026 so far (00:54).

• Attack Timeline

  • The exploit was methodical, taking over three weeks to execute (02:00).
  • Drift initiated a migration to a new 2/5 multisig (five signers, only two required), but with zero time lock—a crucial security lapse (02:33).
  • In parallel, the attacker created a fake token (CVT) and an associated fake oracle, orchestrating conditions for the exploit (03:30).

• Execution Steps

  • Attacker waited for April Fool’s Day for added confusion and deniability (03:20).
  • Series of instant transactions manipulated the Drift protocol, depositing and inflating fake collateral before extracting blue chip assets (03:22, 04:12).
  • Culminated in bridging out funds to Ethereum—demonstrating premeditation and skill.

Quote:

“There are at least five or six discrete steps that the attacker had to do, which for me indicates that this was not like a random person who stumbled upon the keys. They studied the program, they were methodical and strategic...”
— Omer Goldberg (03:55)

2. Admin Key & Multisig Vulnerability

• The Multisig Flaw

  • Migrated to a 2/5 multisig, but this is only a slight step above single-signer security (04:49, 21:58).
  • Absence of a time lock removed a critical failsafe; team might have caught and prevented the anomaly otherwise (20:48).

• Compromised Signer

  • Evidence suggests the attacker hijacked a key from a previous signer and immediately added a second cosigner, hitting the required threshold within 1 second (07:26).

Quote:

“...the new multisig was immediately signed by a second cosigner 1 second after it was created, and that met the 2 out of 5 threshold.”
— Laura Shin (07:27)

• Potential Supply Chain Attack
  • Speculation points to a supply chain attack, possibly leveraging corrupted open-source libraries like Axios, enabling full machine compromise without breaking cryptography (06:12).

3. The CVT Fake Token / Oracle & Market Manipulation

• Fake Collateral, Fake Price
  • Attacker created CVT, manipulated AMM pools to inflate its price via a fake oracle, then added it as collateral to Drift, granting themselves massive borrowing power (09:40, 10:05).
  • Used admin privileges to whitelist CVT and set arbitrary oracles and risk parameters (11:02).

Quote:

“With those privileges of the admin, they were able to whitelist this token and decide where the Oracle was coming from...pumped on a very low liquidity pool the price of the asset, effectively they had hundreds of millions of dollars in collateral...”
— Omer Goldberg (12:25)

• Multi-Pronged Attack
  • Combined social engineering, oracle manipulation, and market manipulation, reminiscent of past high-profile exploits like Mango Markets and Aave (11:02, 13:40).

4. Exploit of Solana Durable Nonces

• Durable Nonces: A Solana-Specific Weapon
  • Attackers used Solana’s 'durable nonce' feature, allowing them to pre-sign transactions and execute them at the optimal moment, evading detection (14:42).
  • Without the durable nonce, the exploit window would have been just 2 minutes, increasing risk for the hacker (15:29).

Quote:

“The durable nonce, basically like what it solves for, is that you can sign transactions that don’t have time expiration...But what it did here is, as soon as the attacker had access to those keys, they were able to sign in those transactions and not ring any alarms and just wait for the perfect time to execute the attack.”
— Omer Goldberg (14:42)

• Security Consideration: Monitoring vs. Prevention
  • Solana’s Anatoly Yakovenko argued these features are essential, but Omer stressed proactive monitoring (PagerDuty, etc.) is necessary but not sufficient for prevention (16:27, 17:39).

5. DeFi Risk Management & Failures

• Critical Safeguards Missing

  • No time locks, weak multisig configuration, and absence of real-time alerting stood out as gaping holes (19:52, 20:48).
  • Drift team seemed insufficiently “paranoid”; the episode highlights the industry’s continued struggle with integrating Web2 OPSEC rigor (23:07).

• Contagion & Ecosystem Impact

  • The ramifications extended to over 20 protocols: vaults (Prime Number, Gauntlet, Nitrade), borrow/lend protocols (Pyra), and emerging yield aggregators all suffered losses due to integration with Drift (26:06).
  • Ecosystem-wide fallout due to lack of monitoring and alerting; by the time teams understood, it was too late (27:50).

6. Laundering the Stolen Funds: Circle & CCTP Controversy

• Slow Response from Circle
  • Circle’s inaction to freeze funds transferred via CCTP drew ire (ZachXBT’s tweet flagged a 6-hour window, 28:52).
  • Omer suggests Circle waits for court order/legal clarity before blacklisting, which draws both criticism and understanding—enforcing freezes with imperfect information is contentious (29:44).

7. Attribution: North Korea’s “Lazarus Group” Suspected

• Patterns & Comparison to Bybit Hack
  • Attack shares clear parallels with previous hacks attributed to North Korea—a combination of sophisticated technical steps, deceptive key use, and methodical execution (32:20).
  • Omer notes distinguishing markers, such as how signers were manipulated and protocols controlled, but stops short of direct attribution, pending post-mortem and fund analysis (33:23).

8. The Ongoing “What is DeFi?” Debate

• Centralization vs. True DeFi
  • Hayden Adams (Uniswap): Criticizes platforms that allow any admin key to drain funds, arguing they're not truly DeFi and damage the brand (34:34).
  • Hasu: Stresses importance of circuit breakers, security councils, and time locks—accepting some friction to gain vastly improved risk posture (34:34).

Quote:

“We have to stop letting centralized things call themselves DeFi. Admin key can drain all funds. Otherwise DeFi means nothing and its brand is destroyed.”
— Hayden Adams, via Laura Shin (34:34)

Quote:

“We don’t need insurance. We need to start doing the fucking basics correctly...The worst possible UX is losing your user’s money.”
— Hasu, via Laura Shin (34:34)

• Guest Perspective:
  • Omer acknowledges the spectrum between full decentralization and pragmatic centralization, but stresses the need for transparency, robust audits, and active risk management (35:46).

Notable Quotes & Memorable Moments

• “This one was very technical, well thought out and from what we know today, spend at least three weeks.” — Omer Goldberg (02:00)
• “...no time lock, no multi sig and no delays, which is how all this happened.” — Laura Shin (19:52)
• “...this is something that I've seen kind of less prevalent amongst Web3 teams in their understanding.” — Omer Goldberg (23:52)

Important Timestamps

• 00:42 – Introductions & episode framing
• 02:00 – Timeline and sophistication of the hack
• 04:49 – Multisig setup and admin key compromise
• 09:40 – Creation and manipulation of CVT as fake collateral
• 14:42 – Explaining durable nonces and how they enabled the attack
• 19:52 – Security lapses: lack of time locks, multisig, and alerting
• 26:06 – Contagion through the Solana DeFi ecosystem
• 28:52 – Circle’s non-response to freezing stolen funds
• 32:20 – Attribution to North Korea’s Lazarus Group discussed
• 34:34 – The “true DeFi” debate: Hayden Adams and Hasu’s perspectives
• 35:46 – Omer’s views on decentralization, risk, and user choice

Conclusion

This episode underscores how DeFi still faces fundamental technical and operational risks, especially where centralization points persist. The Drift Protocol hack stands out as a masterclass in adversarial preparation—combining social engineering, supply chain compromise, oracle and market manipulation, and platform-specific technical features. It’s a sobering lesson for the entire crypto industry on the persistent need for paranoia, security hygiene, and transparency in both protocol design and operations.