Carrot protocol to shut down after Drift breach wipes out TVL
Solana-based DeFi yield protocol Carrot has announced a permanent shutdown after losses tied to the Drift Protocol exploit left it unable to continue operations.
- Carrot has announced a permanent shutdown after losses tied to the Drift exploit left the protocol unable to continue, with May 14 set as the withdrawal deadline.
- DefiLlama data shows Carrot’s total value locked fell from about $28 million to $1.99 million following the April 1 attack on Drift.
- Drift Protocol said the exploit followed months of social engineering, with losses estimated at about $280 million and linked to a coordinated campaign.
According to a statement posted by Carrot on X on Thursday, the April 1 attack on Drift proved “catastrophic” for the protocol, forcing the team to wind down services and set May 14 as the deadline for users to withdraw remaining funds. The team said it will continue assisting recovery efforts linked to Drift and distribute assets once they are recovered.
“We are setting May 14th as the deadline to withdraw any remaining funds from Boost, Turbo, and CRT before we will then begin to deleverage the system. Your deposited funds are still yours, but all leverage will be reduced to zero, freeing up all liquidity for CRT redemption,” the team said.
Integrated with Drift’s infrastructure, Carrot relied on its liquidity pools to generate yield, which left it exposed when the exploit drained a large portion of Drift’s total value locked. DefiLlama data shows Carrot’s TVL fell from about $28 million before the incident to $1.99 million, a drop of roughly 93%.
Drift Protocol said on April 5 that the exploit followed months of preparation, during which attackers built trust with contributors through in-person meetings and online contact before delivering malicious tools. External estimates placed losses from the attack at about $280 million, while Drift described the campaign as organized and backed by significant resources.
According to Drift’s review, contact with the attackers began around October 2025, when individuals posing as members of a quantitative trading firm approached contributors at a crypto conference and later maintained relationships across multiple industry events. The exchange said those interactions allowed the group to gain trust before compromising devices and executing the exploit.
Drift added it has “medium-high confidence” that the same actors were involved in the October 2024 Radiant Capital breach, which resulted in about $58 million in losses and involved malware distributed through Telegram.
The impact has extended beyond Carrot. Projects connected to Drift, including Gauntlet, PrimeFi, and Elemental DeFi, have also reported disruptions following the exploit.
DefiLlama data shows that April recorded nearly $630 million in crypto losses across 25 incidents, making it the largest month for exploits since February 2025, when losses reached $1.47 billion. The $293 million attack on Kelp remains the biggest exploit of 2026 so far, followed by the Drift breach at roughly $285 million, with both incidents accounting for more than 90% of April’s total losses.
