Web3 is Going Just Great

April 1, 2026

Drift exploited for $280 million

The Solana-based Drift defi perpetual futures exchange was exploited for $280 million. The project alerted the community on social media, writing: "Drift Protocol is experiencing an active attack. ... This is not an April Fools joke."

The project later described the exploit as "a novel attack involving durable nonces, resulting in a rapid takeover of Drift's Security Council administrative powers." Once the attacker had access to admin capabilities, they quickly eliminated risk management limits on the protocol and drained huge quantities of tokens, which they swapped to USDC and then ETH.

Some have criticized USDC's issuer, Circle, for not freezing the stolen funds during the six hours they were held in USDC. Unlike ETH, USDC is controlled by a centralized company that can, and regularly does, freeze assets determined to have been stolen or connected to illicit activity.

The theft is among the largest in defi history.

March 24, 2026

Moonwell faces $1 million governance attack

(attribution)

The Moonwell lending protocol faced a governance attack on its deprecated Moonriver instance that could have drained $1 million from the project. Because Moonwell's MFAM governance token trades at fractions of a cent, an attacker was able to accumulate around 40 million tokens, submit a malicious proposal, and achieve quorum. Moonwell governance token holders scrambled to vote down the proposal before the voting ended on March 27.

Ultimately, facing being outvoted, the attacker dumped their MFAM holdings and the proposal was canceled as their balance had fallen below the proposal threshold.

This was only the most recent of Moonwell's troubles after the protocol suffered a $1.78 million loss in February due to an oracle misconfiguration and a $3.7 million loss in November 2025.

Attack proposal, Moonwell governance [archive]
Tweet thread by Blockful [archive]