$285 Million Drift Protocol Hack Aftermath: Solana-Based Carrot Protocol Officially Announces Shutdown

Carrot, a yield protocol in the Solana ecosystem, has officially declared the end of its operations one month after the $285 million Drift Protocol hack. Following the attack on April 1, 2026, Carrot's Total Value Locked (TVL) plummeted by 93% in a month, and the protocol has set May 14, 2026, as the final withdrawal deadline. This marks the first major case this year of a single protocol's bankruptcy resulting from a DeFi hack.

The Carrot operations team announced the start of immediate shutdown procedures on April 30, 2026. Users must recover all assets deposited in Boost, Turbo, and CRT pools by May 14, 2026. For assets remaining after the deadline, a protocol-level forced deleveraging process will be conducted, which may result in a decline in asset value.

The liquidity depletion and infrastructure damage caused by the Drift Protocol hack exceeded what our team could handle, leading us to conclude that continued operation is impossible.

The incident originated from a $285 million exploit of Drift Protocol on April 1, 2026. The attacker withdrew a large amount of core assets, including USDC and JLP, from the protocol in just 12 minutes by creating fake tokens and seizing admin keys. Security experts point to North Korean (DPRK) linked hacker groups as the culprits, analyzing it as a result of sophisticated social engineering rather than a simple code error.

Rapid Asset Outflow and Financial Collapse

Carrot's TVL, which was approximately $28 million before the hack, shrank to $1.99 million as of May 1, 2026. The team attempted a recovery by implementing restructuring plans such as asset consolidation and leverage limits starting in early April, but could not prevent a bank run caused by the loss of investor confidence. The paralysis of Drift Protocol, which served as a liquidity source, resulted in the collapse of Carrot's own revenue generation model.

• April 1, 2026: $285 million outflow due to Drift Protocol hack
• April 2, 2026: Carrot begins restructuring and limits withdrawals in some markets
• April 30, 2026: Carrot announces official end of operations and shutdown
• May 14, 2026: Deadline for user asset withdrawals and forced deleveraging

The Carrot team emphasized that they made various efforts to maintain the protocol throughout April. They tried to secure repayment capacity by limiting withdrawals in specific markets and consolidating assets, but faced financial limits as the recovery of assets tied up in Drift Protocol became uncertain. Ultimately, the team decided to shut down, judging that further operating expenses would only reduce potential recoveries for users.

The most critical part of the asset recovery process is the issuance of IOU (I Owe You) tokens. Carrot decided to introduce an IOU token system to distribute compensation that may be recovered from Drift Protocol in the future. These will be allocated to CRT token holders based on a snapshot at a specific point in time, granting the right to receive funds proportionally when Drift's compensation program is activated.

New Threats and Lessons in DeFi Security

This incident highlights new security challenges facing the DeFi ecosystem in 2026. The Drift Protocol hack was a complex attack combining admin privilege seizure and oracle manipulation, rather than a bug in smart contracts. This shows that protocols must be more thorough not only in code security but also in operational security (OpSec) and governance privilege management.

Furthermore, Carrot's bankruptcy warns of the risks of the 'Lego-like' DeFi structure, which is highly dependent on specific large protocols. The contagion effect, where an upper protocol collapses sequentially when a lower protocol fails, can lead to a liquidity contraction across the entire Solana ecosystem. Industry experts advise that future protocol designs should diversify interdependence with external platforms and strengthen emergency stop mechanisms.

In conclusion, Carrot's shutdown has dealt a significant blow to the virtual asset market in the first half of 2026. Users must move their assets to personal wallets before the May 14 deadline to prevent further losses. The Carrot team promised to transparently disclose the compensation process through IOU tokens even after the protocol's closure, but it is expected to take considerable time until actual asset recovery.