On April 1, 2026, Drift Protocol was the target of a sophisticated operation orchestrated by a DPRK-affiliated threat actor, as confirmed by forensic firm Mandiant. The attack resulted in the loss of $295M in user funds. Following the exploit, Drift temporarily suspended all core protocol functions including trading and borrowing to prevent further unauthorized activity. The previous incident recovery update can be found here.  

Over the past month, the Drift team has been actively advancing the user recovery framework to ensure users are made whole, working with law enforcement to recover frozen funds, and rebuilding Drift as a security-first protocol. 

This post details what users can expect of the recovery plan and the Drift relaunch. Some details below may be subject to change — key decisions will go through a governance proposal and a DAO vote before being finalized. Follow @DriftProtocol for the latest updates. 

‍

Where the Funds Are Now

The majority of stolen assets remain traceable and contained with limited successful off-ramping by the attacker. Drift is working with a variety of parties and law enforcement to actively recover frozen funds. 

• Attacker-Controlled Wallets: Approximately 130,259 ETH (~$293M is concentrated across four Ethereum wallets. These wallets are actively monitored and have been flagged across exchanges and relevant parties. 
• Bridge-Level Containment: Two transfers via Wormhole have been delayed by the Wormhole Governor until late July, effectively locking funds in transit: 
  
  • ~59.37 WBTC
  • ~557.90 WETH
• Frozen Stablecoins: Three transfers via Circle’s CCTP have been successfully frozen, totaling approximately 3.36M USDC. Drift is working with law enforcement to obtain a seizure warrant to burn and reissue funds back to the protocol. Legal proceedings are ongoing, with no confirmed timeline at this stage. 

For the full breakdown of compromised assets, read here.  

‍

User Recovery Plan

Every wallet impacted by the April 1 exploit will be issued a recovery token, which represents a user’s verified loss and their proportional claim on the recovery pool. Here is how it works: 

Recovery Token

Each recovery token represents $1 of verified loss. Verified loss is calculated based on the treatment of protocol remaining balances and positions outlined in the methodology section below. It is separate from the DRIFT governance token. 

Recovery Pool

The recovery pool will be seeded with the protocol’s remaining assets, which will be converted to stablecoin to lock in notional value. The current notional value of remaining assets is approximately $3.8M; the final converted figure in USDT will be announced once all swaps are complete. The final treatment of remaining assets will be subject to DAO voting through a governance proposal.  

From there, the pool grows through three capital streams: 

• Exchange Revenue: Each quarter, a substantial portion of the exchange’s net revenue flows directly into the recovery pool, denominated in USDT. This continues until the pool reaches the total exploit losses (~$295M). 
• Tether Matched Deployment: Tether has committed up to $127.5M to support relaunch and user recovery. Deployment will be based on the exchange’s prior-quarter revenue. 
• Additional Partner Capital: Strategic partners have committed up to $20M to support user recovery.

The pool will continue accruing until total inflows match total exploit losses of $295,426,725.97. Once the recovery pool matures, revenue accrual will stop and all outstanding tokens can be redeemed at full par value or more. 

Redemption 

Redemption opens once the Recovery Fund exceeds $5M, following this formula: 

Redemption Price = Recovery Fund Value / Outstanding Supply

Redemption is burn-on-redeem and one-time per recovery token. This means that if a user redeems their Recovery Token tokens before the recovery pool fully matures, the user forfeits any remaining claims to the recovery pool. 

Claim Mechanics

Recovery Token is a transferable SPL token, claimable by wallets included in a verified snapshot of affected users. The snapshot timestamp can be found in the recovery methodology below. 

• Claim window: There would be a claim window from the date withdrawals open. Any Recovery Token unclaimed at the close of that window is burned, which proportionately increases the redemption value for remaining holders. 
• Recovery Token is not eligible as collateral on Drift at relaunch. 
• Claim date will be announced closer to relaunch. 

The recovery pool and redemption method will be subject to governance proposals and subsequent DAO voting. 

Insurance Fund Withdrawals

The Insurance Fund was not affected by the exploit. The notional value of the assets in Insurance Fund before the attack is approximately $20M

Release of the funds in the Insurance Fund is dependent on a governance proposal and subsequent DAO voting. 

To contribute to the outcome of the funds, participate in governance to determine whether the funds will be available to depositors or added to the recovery pool.   

‍

Position Snapshot 

The following outlines how user balances and positions may be calculated for the issuance of the Recovery Token. The final mechanism is subjected to a governance proposal and subsequent DAO voting.

Snapshot Timestamp 

All user positions — both perpetual and spot — were snapshotted at protocol pause: 18:31:47 UTC on April 1, 2026. This timestamp was chosen to account for withdrawals made via borrowing from addresses not associated with the attacker during the attack window.

Protocol Remaining Balance 

Spot assets remaining in the protocol at the time of pause will be converted to stablecoin (USDT). All available conversion methods will be explored, such as spot trading, OTC, and on-chain aggregators, with the final avenue chosen based on best available liquidity and operational efficiency. The converted notional value will be used to back Recovery Token at launch.

Assets will not be returned directly to depositors because all borrow/lend markets share a single liquidity pool. Returning deposits to lenders before borrows are repaid would remove liquidity that other accounts depend on, permanently breaking the pool's accounting integrity. Converting to stablecoin ensures all protocol obligations are resolved in the correct order before distribution.

Oracle Price 

The oracle price used to calculate notional balances is the price at 16:06:00 UTC on April 1, 2026. The time used is before the attack began rather than the price at program pause. This is because the incident distorted market prices during the affected window. Using a pre-attack price ensures users are not penalized for position movements caused by the exploit itself.

Interest Accrued 

All spot balances stopped accruing interest at the time of protocol pause. Any interest accrued during the affected window has been factored into user balances. Users will not be required to pay any outstanding interest upon relaunch.

‍

Ongoing Recovery Efforts

Drift is actively pursuing fund recovery across multiple fronts with recovery efforts supported by leading cybersecurity forensic and intelligence partners, ZeroShadow and Mandiant. 

Bounty Program 

In collaboration with Bybit and other partners, Drift Protocol has launched a public bounty program: a 10% bounty on any successfully recovered assets. The program is listed publicly to maximize participation from whitehats, security researchers and the broader ecosystem. 

Participate here: https://www.lazarusbounty.com/en/DRIFT 

‍

Relaunching a Security-First Drift 

The Drift team is aiming to relaunch Drift in Q2 2026 as a leaner, perps-native exchange with an emphasis on security. Security changes outlined below are a direct response to what the April 1 attack exposed. Some key decisions will go through a governance proposal and DAO vote before being finalized. 

Security & OpSec 

A formal OpSec policy governs all multisig signers. The set up of a new OpSec will go through a governance proposal and a DAO vote. For multisig operations, signers use a dedicated device, critical instructions are time-locked with proactive alerts, and the durable-nonce attack surface (central to how the April 1 exploit was executed) has been removed entirely. Quarterly OpSec sessions will be undergone, backed by a reporting culture that allows incidents to be surfaced and resolved quickly. 

Program & Dependencies 

A new Drift program will be deployed at a fresh address with fully rotated keys. Mandatory instruction-level audits are required before any mainnet deployment. The Anchor 1.0 upgrade and removal of unused program code reduce the attack surface and keep the program lightweight. The exchange is being refocused on perps — concentrating both liquidity and engineering effort on the core product. 

Earn products like Isolated Markets and Amplify will be removed, while development of Drift’s Prop AMM and Mobile App are being reviewed for a new timeline. 

Multisig Setup

Timelocks are being implemented for sensitive operations, ensuring that administrative actions cannot be executed immediately and that there is a mandatory review window for detection and intervention before execution. Real-time monitoring across all signers will be set up in collaboration with ecosystem partners to enable early detection of anomalous activity.

Both the updated multisig structure and timelock mechanisms are core requirements for going live. These components will undergo independent audits and security review, including participation in the STRIDE program.

Stablecoin Migration

USDT will be the primary stablecoin across the exchange as collateral and perp settlement. 

Markets

Supported collateral assets and perp markets have been narrowed to the most popular and liquid pairs, concentrating liquidity and volume in the markets that matter most.

Liquidity at Relaunch

Leading market makers across the crypto industry and within the Solana ecosystem have committed to provide liquidity from day one, establishing a strong base of depth and two-sided flow. Tether’s $20M market-making facility ensures tight spreads and stable markets. More liquidity providers are being onboarded to further support market depth at relaunch.  

Trading liquidity and user compensation flows are structured separately; repayments will not impair market depth or exchange functionality.

‍

Final Note from the Team

The Drift team is taking considered measures to ensure that users are made whole, and that Drift restores itself as the leading perpetuals DEX on Solana. The team has made internal hard decisions to restructure and operate as lean as possible, focusing entirely on recovery and relaunch.

This will take time but the structure is in place, ecosystem partners are committed and the work is underway. Drift will publish updates as more progress is made. For any questions, please open a support ticket on Discord.

‍