Two days after a single attacker drained $285 million from Drift Protocol's vaults, the damage is still spreading. On April 3, 2026, WuBlockchain reported that the fallout has reached at least 20 protocols, with Prime Numbers Fi citing losses above $10 million, the largest secondary loss disclosed so far.
Drift was Solana's largest perpetuals exchange by total value locked before the April 1 breach. Protocols that routed liquidity through Drift, used its vaults as collateral, or ran delta-neutral strategies on top of its infrastructure are now accounting for what they lost.
Who Got Hit and How Much
The confirmed list of affected protocols has grown steadily since the first hours after the exploit.
PiggyBank_fi disclosed approximately $106,000 in exposure through delta-neutral strategies and said it would cover affected users from team reserves. Ranger Finance halted RGUSD deposits and withdrawals, with estimated exposure north of $900,000. Reflect Money paused all minting and redemptions for its USDC+ and USDT+ tokens, though it noted its insurance coverage remains in place.
Project0 stopped all borrowing against Drift positions as a precaution. TradeNeutral, GetPyra, Uselulo, and Elemental DeFi all paused key features or reported limited exposure while running security assessments.
Then there is xPlace, which also paused certain features while checking for residual exposure. Jupiter, the largest Solana aggregator, confirmed its JLP pool remains fully backed despite JLP tokens being among the largest single asset classes the attacker drained from Drift.
Prime Numbers Fi, a lending and borrowing protocol on XDC Network that had cross-chain exposure to Drift liquidity, reported losses exceeding $10 million, according to WuBlockchain. That figure would make it the worst-hit secondary protocol by a wide margin, more than ten times the next-largest disclosed loss.
Why Solana DeFi Is Particularly Exposed
The contagion pattern reflects a structural feature of Solana's DeFi ecosystem: tight composability. Protocols routinely build on each other's liquidity. Yield aggregators deposit into Drift vaults. Lending protocols accept Drift LP tokens as collateral. Delta-neutral strategies hold long Drift positions against short hedges elsewhere.
When Drift's vaults emptied, every protocol in that chain of dependencies had to answer the same question: how much of our TVL was actually sitting in Drift? For some, the answer came back clean. For others, the numbers are still being tallied.
The attacker's method, which relied on pre-signed durable nonce transactions and social engineering rather than a smart contract bug, makes the damage harder to contain. A code exploit can be patched. An admin key compromise means every protocol that trusted Drift's governance layer was indirectly trusting the operational security of Drift's multisig signers.
Squads, the multisig infrastructure provider, confirmed on April 3 that two compromised signers on Drift's admin multisig executed the malicious transaction. Squads emphasized its own platform was not breached. The vulnerability was in how Drift managed its signing keys.
The Attacker's Position Is Still Growing
Meanwhile, the attacker's Ethereum wallet continues to hold roughly 130,000 ETH worth approximately $265 million at current prices (ETH at $2,044, down 1.9% over 24 hours, as of April 3, 2026). That position, assembled by bridging stolen Solana assets to Ethereum through Circle's CCTP and Wormhole, represents one of the largest single-wallet concentrations on the network.
BTC sits at $66,334 (down 0.9%), and the Fear and Greed Index reads 27, firmly in "Fear" territory. The broader market weakness compounds the problem for protocols trying to make affected users whole: assets earmarked for reimbursement are worth less today than when the exploit happened.
What Protocols Are Doing Now
Responses vary. Some protocols with minimal exposure, like Jupiter, issued statements and moved on. Others, like PiggyBank_fi, dipped into team treasuries to cover user losses immediately. The larger question is whether protocols with more significant exposure can absorb the hit without unwinding positions or delaying withdrawals for extended periods.
For users of self-custody cards and DeFi-integrated spending products, the Drift fallout is a reminder that composability cuts both ways. When everything is connected, a single point of failure can cascade across dozens of protocols in 48 hours.
Drift Protocol itself has not published a formal post-mortem beyond confirming the durable nonce attack vector and coordinating with law enforcement and exchanges to freeze the attacker's assets. The 130,000 ETH has not moved since consolidation.
Overview
The Drift Protocol exploit, the largest DeFi hack of 2026 at $285 million, has now spread to at least 20 secondary protocols. Prime Numbers Fi reported the steepest secondary loss at over $10 million. Confirmed affected protocols include PiggyBank_fi, Ranger Finance, Reflect Money, Project0, TradeNeutral, GetPyra, xPlace, Uselulo, Elemental DeFi, and others still assessing exposure. The attacker's 130,000 ETH position remains untouched on Ethereum. The incident has exposed how deeply Solana DeFi protocols are interlinked through shared liquidity and collateral arrangements.
