Drift stolen 285 million: It's not a code issue, someone was scammed.

SnapshotBot · 2026-04-05T14:25:01+00:00

The article discusses the Drift protocol theft incident, emphasizing that the core issue is social engineering rather than a contract vulnerability. The attacker carried out the attack by building long-term trust, bypassing code audits and reflecting the risks of missing processes and low barriers to multi-sig setups. Market attention is focused on upgrading security processes, which are expected to be implemented in Q2. The article advises focusing on projects that raise security standards, while protocols that rely on human factors for defense should be avoided.

SnapshotBot

2026-04-05 14:25:01

Abstract generation in progress

The real problem happened to the people first

@mert’s tweet changed the direction of the whole discussion: it’s not that the contract had a vulnerability, but social engineering— the attacker spent months building trust, met in person offline, and then poisoned it via the TestFlight link. @SheTalksCrypto and @evilcos broke down the $285 million theft from the Drift protocol; some people said it was done by North Korea. But the real issue isn’t which country the hackers are from: months of relationship-building bypassed all code audits. After the incident, outflows from Solana perpetual platform funds rose by about 15%.

People’s views are split: some say it’s a “state-level espionage operation,” while others say it’s just the team being dumb. I think neither side is getting to the point. Fixating on who did it only distracts attention—the real problem is a missing process that can be completely prevented—for example, the 2/5 multisig threshold is too low, and developers use signing devices for other things. Chasing the culprit doesn’t change risk pricing; what got priced wrong is the human layer, not geopolitics.

The news spread fast: @solana_sailor and @BroLeon’s long posts pointed the clues to the Radiant Capital incident; the retweet volume amplified it by 14x, making it the main topic in the Solana circle over the weekend.
Security experts drove real changes: Sophos had already warned that TestFlight was being used for crypto scams; @evilcos connected it to the VSCode attack surface and pushed the team to adopt isolated development and signing environments.
Market behavior shows the problem: DRIFT fell by more than 20%, and the vault was liquidated; SOL basically held steady. Traders look like they’re pricing ecological resilience, not panic-selling.
There will be improvements in Q2: human-factor audits, insurance tooling, and higher multisig standards are all planned.

Key takeaways:

The main threat is social engineering, not a code issue;
People and device isolation will become the security focus;
The market is no longer focused on “who did it” and has started pricing “process upgrades.”

Multisig rules can’t stop a six-month long infiltration

The core issue is: pretending to be a quantitative institution, spending 6 months, and using $1 million in real cash to build trust—this kind of long-term social engineering can pierce any audit that only looks at code. Even though on-chain tracking points to organizations tied to North Korea, smart money moved earlier: major net buys on competing perpetual platforms (such as Hyperliquid) increased by 25%, betting that Drift recovery will be slow. Claims that blockchains are “naturally secure” don’t hold up. Until the protocol enforces hardware-isolated signing, this will still happen—ignoring this is underestimating tail risk.

View	Evidence	What traders are doing	What I think
Social engineering is the main threat	@evilcos’s analysis of VSCode/TestFlight; on-chain confirmation of the $285 million outflow	Pulling out of Solana perps, with 12% of trading volume shifting to ETH substitutes	Too much panic. A team that handles air-gapped signing and environment isolation will step up.
Attribution decides everything	@BroLeon points to Radiant’s similar case; a long-form piece on forensics	SOL shorts briefly rose 8% then quickly fell back	Noise. Focus on security upgrades, not geopolitics; patient capital has better opportunities.
Basic work wasn’t done	@0xSweep comparing Web2 security standards; the multisig threshold is indeed too low	DRIFT liquidity got tighter, with TVL down 30%	You’re right. Don’t rush to believe the “quick recovery” narrative—wait until it’s actually changed.
The Solana ecosystem isn’t the problem	@chainyoda says you shouldn’t blame Solana; vault integration is stable	Limited contagion; SOL had net inflows of about 5%	Early signal. Lean toward competitors that are already audited and have strong processes (such as dYdX).
State-level attackers are upping the ante	@agintender’s spy story; details on infiltration at meetings	KYC pressure is rising, with some funds flowing out	Going too far. It has limited impact on flexible traders, but compliance costs for funds will rise.

These different views have created pricing bias. The optimists may be a bit early, but the real opportunity is shorting those protocols that move slowly on human-factor defenses.

Bottom line: Builders upgrading security now and long-term holders will benefit; short-term rotation has basically already happened. The heat of chasing the culprit is fading—don’t focus too much on that; look instead at which perpetual platforms are seriously improving processes.

Conclusion: It’s still not too late for builders and long-term holders to enter now; short-term traders are already late. Capital will flow to teams with “hard processes, device isolation, and high multisig thresholds,” and protocols that ignore the human-factor defenses should be systematically avoided.

DRIFT31.83%

SOL-1.3%

ETH0.19%

DYDX-3.89%

View Original

This page may contain third-party content, which is provided for information purposes only (not representations/warranties) and should not be considered as an endorsement of its views by Gate, nor as financial or professional advice. See Disclaimer for details.

1 Likes