Home Tags Posts tagged with "second"
Tag:

second

Crypto Trading & Analysis

Drift Protocol Suffers Historic $285 Million Hack, Solana’s Second-Largest DeFi Breach, Suspected North Korean Involvement

by Siti Muinah
written by Siti Muinah

On April 1, 2026, the decentralized finance (DeFi) landscape was shaken to its core as Drift Protocol, a flagship platform on the Solana network, experienced a catastrophic security breach. The incident, which began around 16:05 UTC, resulted in the theft of an estimated $285 million, marking it as the largest DeFi hack of the year to date and the second most significant security failure in Solana’s history. The exploit not only drained over half of Drift Protocol’s total value locked (TVL) but also sent ripples of instability across the interconnected Solana ecosystem, impacting at least twenty other protocols. Preliminary investigations by Drift Protocol, supported by preliminary findings from blockchain analytics firms, point towards actors associated with the Democratic People’s Republic of Korea (DPRK), potentially linking this event to a broader pattern of state-sponsored cybercrime targeting the cryptocurrency sector.

The sophisticated nature of the attack, which appears to have been meticulously planned over several months, underscores a growing trend in DeFi security threats, shifting the focus from solely smart contract vulnerabilities to the complex interplay of human psychology, operational security, and technical infrastructure.

A Carefully Orchestrated Infiltration

The genesis of the Drift Protocol hack can be traced back to as early as Fall 2025, with on-chain evidence suggesting that preparatory activities, including the withdrawal of funds from privacy-enhancing mixers like Tornado Cash to finance attack infrastructure, commenced around March 10-11, 2026. This lengthy preparation period highlights the attackers’ deliberate strategy to build trust and gather intelligence before executing the final phase of their operation.

According to Drift Protocol’s internal investigation, the infiltration began with threat actors posing as representatives of a legitimate quantitative trading firm. These individuals initiated contact with Drift contributors at major cryptocurrency conferences, engaging in seemingly earnest discussions about potential integrations and partnerships. Over the subsequent six months, these interactions were maintained and deepened through various channels, including Telegram, dedicated working sessions, and further in-person meetings at international events.

The attackers meticulously cultivated an air of authenticity. They reportedly onboarded a vault on Drift, depositing over $1 million in capital, and actively participated in detailed strategic and product discussions. This sustained engagement was designed to foster credibility and gain proximity to key personnel and internal systems within the Drift ecosystem. This long-term social engineering campaign appears to have been the primary vector for gaining access to the protocol’s administrative privileges.

The Deception: A Synthetic Asset and a Controlled Oracle

A critical element of the attack involved the creation and manipulation of a synthetic asset. Weeks before the exploit, on March 12, 2026, the attackers launched the CarbonVote Token (CVT). They swiftly acquired approximately 80% of the token’s total supply, granting them near-absolute control over its market dynamics.

To legitimize CVT, the attackers established a small trading pool with minimal real liquidity, estimated to be around $500. Within this pool, they engaged in wash trading—simultaneously buying and selling CVT between their own wallets—to artificially inflate trading volume and create the illusion of organic market activity and a stable price. This manufactured activity was designed to deceive external systems, including price oracles, into perceiving CVT as a legitimate and stable asset.

Crucially, the attackers gained control over a price oracle that subsequently began reporting CVT as having a stable value of approximately $1. From Drift Protocol’s perspective, CVT now appeared to be a token with demonstrable demand, a trading history, and a recognized price, making it a seemingly viable candidate for integration into the protocol’s operations.

Exploiting Solana’s Durable Nonce System for Administrative Takeover

The next phase of the attack leveraged a specific feature within the Solana blockchain known as "durable nonces." Durable nonces allow for transactions to be signed in advance and executed at a later, often offline, time. This mechanism is akin to pre-signing a check with the intention of cashing it at a future date.

Between March 23 and March 30, 2026, the attackers prepared a series of these delayed transactions. Through continued social engineering efforts, they managed to persuade members of Drift’s Security Council—a select group of trusted individuals with multi-signature signing privileges—to sign these seemingly innocuous or routine transactions. Unbeknownst to the council members, these pre-signed transactions contained hidden instructions to transfer administrative control of the Drift Protocol to an attacker-controlled wallet address. Instead of directly compromising private keys, the attackers engineered a scenario where legitimate administrators unknowingly granted advance authorization for the takeover.

The culmination of this phase occurred on April 1, 2026. At precisely 16:05:18 UTC, the first pre-signed transaction was submitted. This transaction proposed the transfer of the protocol’s administrative key to the attacker’s designated address, H7PiGqqUaanBovwKgEtreJbKmQe6dbq6VTrw6guy7ZgL. Just one second later, at 16:05:19 UTC, a second transaction executed and approved this transfer. Within the span of a single second, the attackers had effectively seized full administrative control over Drift Protocol. This granted them the ability to remove withdrawal limits, override vault permissions, and initiate the subsequent draining of funds.

The Grand Theft: Draining Assets with Fabricated Collateral

With administrative privileges secured, the attackers proceeded to systematically drain funds from Drift Protocol’s vaults. The transactions, executed under the guise of legitimate administrative actions, bypassed on-chain safeguards that would typically flag suspicious activity.

The attackers then integrated their fabricated CVT token into the Drift system. They configured the protocol’s risk parameters to accept CVT as collateral, set extremely high borrowing limits, and loosened risk controls to a degree that the system would not question the perceived value of the deposited asset. These modifications were enacted seamlessly due to the valid administrative authority now at the attackers’ disposal.

Subsequently, the attackers deposited 500 million CVT into the protocol. Leveraging the artificial price of $1 they had established, the system interpreted this deposit as collateral worth approximately $500 million. With this seemingly robust collateral in place, the attackers began withdrawing actual assets.

The drained assets comprised a diverse range of cryptocurrencies, with the largest single withdrawals including:

  • USDC: $71.4 million
  • JLP: $159.3 million
  • cbBTC: $11.3 million
  • USDT: $5.6 million
  • USDS: $5.3 million
  • WETH: $4.7 million
  • dSOL: $4.5 million
  • WBTC: $4.4 million
  • FARTCOIN: $4.1 million
  • JitoSOL: $3.6 million

In addition to these significant amounts, numerous other assets were also siphoned off. The initial wave of large-scale withdrawals occurred within the first few minutes of the administrative takeover. However, the draining process continued for approximately 2.5 hours, with the last confirmed withdrawal transaction occurring at 18:31 UTC.

Simultaneously, the attackers initiated a rapid process of laundering the stolen funds, moving them off the Solana network. This included transfers to Ethereum via the Wormhole bridge and subsequent movement through privacy mixers like Tornado Cash and mixers on the BNB Smart Chain. This coordinated effort of fund extraction and obfuscation demonstrated a high degree of operational sophistication and presented significant challenges for real-time intervention.

Wider Ecosystem Impact and Suspected DPRK Ties

The repercussions of the Drift Protocol hack extended far beyond the immediate platform. The highly interconnected and composable nature of the Solana DeFi ecosystem meant that protocols relying on Drift’s liquidity, vaults, or underlying strategies were inevitably exposed. As of the time of reporting, at least twenty other protocols had confirmed disruptions, temporary pauses in service, or direct financial losses stemming from the incident. Many of these protocols initiated service suspensions to assess their exposure and explore potential user reimbursement strategies.

The preliminary findings of Drift Protocol’s investigation, corroborated by blockchain analytics firms, have raised significant concerns about the involvement of state-sponsored actors. Strong indications point towards threat actors associated with the Democratic People’s Republic of Korea (DPRK). If confirmed, this incident would align with a documented pattern of DPRK-linked cybercriminal activities that have extracted billions of dollars from the global cryptocurrency ecosystem in recent years. These operations are often characterized by their long-term planning, sophisticated social engineering tactics, and the use of stolen funds to finance the regime.

The Critical Need for Real-Time Threat Detection and Automated Response

The Drift Protocol exploit serves as a stark reminder of the evolving threat landscape in DeFi. While smart contract vulnerabilities have historically been a primary concern, this incident underscores the growing risks associated with the human element and operational complexities surrounding DeFi protocols. The ability of attackers to gain administrative control through social engineering and exploit protocol features like durable nonces highlights a critical gap in traditional security paradigms.

The prolonged duration of the vault drainage—over two hours—during which no automated circuit breaker was triggered, emphasizes the urgent need for advanced, real-time on-chain threat detection and response systems. Such systems, like Hexagate, offer proactive monitoring capabilities that can identify and flag anomalous activities before they escalate into catastrophic losses.

Real-time monitoring could have identified:

  • Abnormal administrative actions: The transfer of administrative keys or drastic changes to protocol parameters.
  • Suspicious collateral integration: The addition of a new, unvetted token with artificially inflated value.
  • Unusual transaction patterns: A sudden surge in withdrawal requests from multiple vaults, especially after administrative changes.
  • Fund movement to sanctioned addresses or known mixers: Indicative of illicit activity.

Beyond detection, automated response mechanisms are crucial for mitigating the impact of attacks. These systems can enable:

  • Immediate freezing of compromised administrative functions: Preventing further unauthorized actions.
  • Automated circuit breakers: Halting all outgoing transactions from affected vaults or the entire protocol.
  • Dynamic risk parameter adjustments: Automatically reverting or tightening controls in response to detected anomalies.
  • Alerting relevant authorities and security teams: Facilitating rapid incident response.

In the case of Drift Protocol, the absence of such automated controls meant that even with the drainage unfolding over an extended period, there was no built-in mechanism to halt the flow of stolen assets once administrative control was compromised. Pre-execution checks, powered by AI and behavioral analysis, could have flagged the abnormal administrative transfer before the drainage even commenced.

GateSigner: A New Paradigm in Transaction Security

The effectiveness of the Drift exploit lay in its technical legitimacy. Every action taken by the attacker, from the administrative takeover to the subsequent fund withdrawals, was authorized by valid signatures. This presented a challenge for security systems that rely solely on verifying the authenticity of a signature.

Hexagate’s GateSigner offers a novel solution by moving beyond simple signature verification to evaluate the intent and context of a transaction before it executes. By analyzing the underlying actions and potential consequences, GateSigner can identify and block transactions that, while technically valid, are highly abnormal or malicious in their intent.

For an attack like the Drift Protocol hack, GateSigner could have provided a critical layer of defense by:

  • Flagging the transfer of administrative control: Recognizing this as an exceptionally high-risk and unusual administrative action, even if signed by a legitimate authority.
  • Detecting the integration of a fabricated asset: Identifying the addition of CVT as collateral and flagging its extremely high, artificially set borrowing limits as anomalous.
  • Blocking suspicious parameter changes: Preventing the drastic loosening of risk parameters that enabled the exploit.
  • Intervening in large-scale, unusual withdrawals: Identifying the mass draining of multiple asset types as a deviation from normal operational patterns.

By assessing the "what" of a transaction rather than just the "who," GateSigner aims to prevent exploits that leverage legitimate access for malicious purposes. The ability to configure real-time alerts and automated blocking actions offers a proactive defense against sophisticated attacks that bypass traditional security measures.

The Drift Protocol hack is a sobering reminder of the constant arms race in the cybersecurity domain, particularly within the rapidly evolving DeFi space. It underscores the imperative for protocols to adopt advanced, intent-based security solutions that can adapt to emerging threats and safeguard user assets against increasingly sophisticated adversaries.

0 comment
0 FacebookTwitterPinterestEmail
Japanese & Asian Crypto Markets

21Shares Submits Second Amended Form S-1 for Spot Hyperliquid ETF as Institutional Competition for DEX-Linked Products Intensifies

by Siti Muinah
written by Siti Muinah

21Shares, a prominent global issuer of cryptocurrency exchange-traded products (ETPs), officially filed its second amendment to the Form S-1 registration statement with the U.S. Securities and Exchange Commission (SEC) on April 14, 2025, for its proposed spot Hyperliquid (HYPE) exchange-traded fund (ETF). The proposed investment vehicle, which intends to trade under the ticker symbol THYP, represents a critical step in the firm’s efforts to provide traditional investors with regulated exposure to the native token of the Hyperliquid ecosystem. While the filing clarifies several technical aspects of the fund’s structure, specific details regarding management fees and other operational expenses have not yet been disclosed to the public.

This latest regulatory submission underscores the accelerating momentum behind decentralized finance (DeFi) infrastructure assets in the traditional financial sector. Hyperliquid, which operates as a high-performance decentralized exchange (DEX) built on its own dedicated Layer 1 blockchain, has seen its native token, HYPE, emerge as one of the most significant assets in the digital finance space over the past year. The move by 21Shares to refine its application follows a pattern of active engagement between crypto-asset managers and federal regulators, signaling that the path toward approval is entering a more mature phase of technical review.

Analysis of the Regulatory Progress and Expert Commentary

The submission of the second amendment is widely viewed by market observers as a positive indicator of the "back-and-forth" dialogue between the issuer and the SEC. James Seyffart, an ETF research analyst at Bloomberg Intelligence, noted that the revisions likely reflect specific feedback provided by SEC staff. In the context of the U.S. regulatory environment, the transition from an initial filing to subsequent amendments often indicates that the regulator is scrutinizing the finer details of custody, valuation, and liquidity—essential components for the approval of a spot commodity-based ETF.

According to Seyffart, the fact that 21Shares is moving forward with these amendments suggests that the listing process is progressing steadily. This iterative process was mirrored during the approval cycles for both Bitcoin and Ethereum spot ETFs, where multiple rounds of S-1 amendments were required to address the SEC’s concerns regarding market manipulation, custodial security, and the "cash-only" versus "in-kind" creation and redemption mechanisms.

The Competitive Landscape: 21Shares, Bitwise, and Grayscale

The race to launch the first spot HYPE ETF has become a three-way contest between major industry players. Each firm is attempting to differentiate its offering through fee structures, exchange partnerships, and unique fund features.

Bitwise Asset Management (BHYP)

Bitwise was among the first to move aggressively in the HYPE space, filing its second S-1 amendment on April 10, 2025, just days before 21Shares. Bitwise’s proposed fund will trade under the ticker BHYP on the NYSE Arca exchange. Notably, Bitwise has already disclosed a competitive annual management fee of 0.67%. Perhaps most significantly, the Bitwise application includes provisions for staking functionality. By incorporating staking, the fund aims to pass along the rewards generated by the underlying HYPE tokens to the shareholders, potentially offering a "yield-bearing" version of the ETF that could be more attractive to long-term institutional holders.

21Shares、HYPE現物ETFの第2次修正届出書をSECに提出 | NADA NEWS(ナダ・ニュース)

21Shares (THYP)

While 21Shares has yet to finalize its fee structure or confirm whether it will follow Bitwise’s lead in offering staking rewards, the firm brings extensive experience from the European market. 21Shares has historically been a pioneer in launching diverse crypto ETPs on Swiss and German exchanges, and its entry into the HYPE race is seen as a strategic expansion of its U.S. footprint. The choice of the ticker THYP positions the product as a direct competitor to Bitwise’s BHYP.

Grayscale Investments (GHYP)

Grayscale, the world’s largest crypto asset manager, also joined the fray with its own S-1 filing. Aiming for a listing on the Nasdaq under the ticker GHYP, Grayscale’s entry ensures that all three major U.S. listing venues—NYSE Arca, Cboe (often used by 21Shares), and Nasdaq—will have a horse in the race. Grayscale’s strategy often involves leveraging its existing trust structures, though for HYPE, it is pursuing a standard spot ETF registration from the outset.

Understanding the Hyperliquid (HYPE) Ecosystem

The institutional interest in a HYPE ETF is driven by the fundamental growth of the Hyperliquid platform. Unlike many other decentralized exchanges that operate as applications on general-purpose blockchains like Ethereum or Solana, Hyperliquid is a standalone Layer 1 blockchain optimized specifically for a high-performance order-book-based DEX.

Hyperliquid specializes in perpetual swaps (perps), which are the most traded instruments in the cryptocurrency market. By providing a user experience that rivals centralized exchanges (CEXs) like Binance or Coinbase, but with the transparency and self-custody of a decentralized protocol, Hyperliquid has captured a significant share of the DeFi trading volume.

The HYPE token serves multiple roles within this ecosystem:

  1. Governance: Token holders can vote on protocol upgrades and the allocation of the ecosystem’s resources.
  2. Staking and Security: As a Proof-of-Stake (PoS) network, the HYPE token is essential for securing the underlying blockchain.
  3. Utility: The token is integrated into the platform’s fee structures and liquidity incentives.

Market Data and Performance Metrics

The demand for an ETF is further bolstered by HYPE’s exceptional market performance. As of April 15, 2025, the token was trading at approximately $43, maintaining a strong upward trajectory. The asset has demonstrated significant resilience and growth:

  • Year-to-Date (YTD) Performance: An increase of approximately 65%.
  • 12-Month Performance: A staggering rise of approximately 182%.
  • Market Capitalization: Approximately $100 billion.

With a market capitalization of $100 billion, HYPE currently ranks as the 13th largest cryptocurrency by total valuation. This scale is a crucial threshold for ETF issuers; the SEC generally requires a high level of liquidity and market depth to ensure that an ETF can be traded efficiently without causing extreme price volatility in the underlying spot market. At its current valuation, HYPE has surpassed many "legacy" blockchain projects, cementing its status as a top-tier institutional-grade asset.

21Shares、HYPE現物ETFの第2次修正届出書をSECに提出 | NADA NEWS(ナダ・ニュース)

Chronology of Key Events in the HYPE ETF Race

The timeline of filings indicates a condensed and highly competitive environment:

  • Early 2025: Initial S-1 filings are submitted by Bitwise and 21Shares as Hyperliquid’s trading volume begins to dominate the DEX landscape.
  • March 2025: Grayscale officially enters the race with a Nasdaq-bound S-1 filing.
  • April 10, 2025: Bitwise submits its second amendment (S-1/A), revealing a 0.67% fee and staking plans.
  • April 14, 2025: 21Shares submits its second amendment, signaling continued engagement with the SEC.
  • April 15, 2025: HYPE reaches a market cap of $100 billion, providing a strong fundamental argument for the necessity of a regulated investment vehicle.

Broader Implications for the ETF Industry

The move toward a Hyperliquid ETF represents a shift in the "second wave" of crypto ETFs. While the "first wave" focused on digital gold (Bitcoin) and decentralized computing (Ethereum), the "second wave" is increasingly focused on specific financial infrastructure and utility protocols.

If approved, a spot HYPE ETF would provide a template for other DeFi-centric assets, such as Uniswap (UNI) or Jupiter (JUP), to seek similar regulated status. It also challenges the traditional definition of "commodities" in the eyes of the SEC. Because Hyperliquid is a functional trading platform, the SEC must evaluate whether the HYPE token represents a stake in a "common enterprise" (which would classify it as a security) or a decentralized utility/commodity.

The inclusion of staking in Bitwise’s filing is another pivotal point of contention. The SEC has previously expressed skepticism regarding staking within ETF structures, citing concerns over the liquidity of staked assets and the complexity of returning yields to shareholders. If the SEC allows Bitwise to include staking, it could set a massive precedent, potentially forcing 21Shares and Grayscale to amend their filings to remain competitive.

Conclusion and Outlook

The second amendment filed by 21Shares is more than just a procedural update; it is a testament to the staying power of decentralized exchange protocols in the global financial hierarchy. As the SEC continues to review these applications, the focus will likely shift to the robustness of the "Hyperliquid L1" consensus mechanism and the reliability of the price feeds used by the ETFs.

For investors, the arrival of a spot HYPE ETF would democratize access to one of the fastest-growing sectors of the digital economy. It would allow pension funds, 401(k) providers, and retail investors to participate in the growth of decentralized derivatives trading without the complexities of managing private keys or navigating DeFi interfaces. As the April 2025 filings show, the infrastructure for this transition is being built in real-time, with 21Shares positioned at the forefront of this institutional evolution.

0 comment
0 FacebookTwitterPinterestEmail
Crypto Gohan
Powered by  GDPR Cookie Compliance
Privacy Overview

This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.