In a recent tweet, $XRP Ledger validator Vet warns $XRP builders to stay alert after a sophisticated social engineering scam drained Solana’s Drift protocol of $280 million.
On April 2, the crypto market woke up to the news of the largest DeFi hack of 2026 and the second largest exploit in Solana’s history, behind only the $326 million Wormhole bridge hack in 2022.
Attackers drained approximately $285 million in user assets from the largest decentralized perpetual futures exchange on Solana, Drift Protocol on April 1, with the attack happening in about 12 minutes. Most of the stolen funds were bridged to Ethereum hours after.
The critical vulnerability was not a smart contract bug but a combination of social engineering multisig signers into presigning hidden authorizations and a zero-timelock Security Council migration that eliminated the protocol’s last line of defense.
$XRP community reacts
On April 5, Drift Protocol shared a background update about the incident, sharing further details. $XRP Ledger validator Vet engaged with Drift Protocol’s update on the incident, triggering a warning to the $XRP community.
level of social engineering that led to a $280M exploit of a DeFi protocol is mind boggling. Important lesson for us building on $XRP too.
over six months they approached key protocol developers at conferences, befriended them, face-to-face meetings, showed them what they build… https://t.co/oxAbxwoltH
— Vet (@Vet_X0) April 5, 2026
Vet highlighted that the level of social engineering that led to a $280 million exploit of the Drift Protocol remains mind-boggling. He says this marks an important lesson for $XRP builders as well.
The $XRP Ledger validator highlighted a surprising part of the whole incident, which was planned for about six months. The perpetrators built trust in this time frame and even contributed $1 million to a vault.
“Over six months they approached key protocol developers at conferences, befriended them, face-to-face meetings, showed them what they build over months at various conferences, established group chats and even contributed $1M to a vault,” Vet wrote.
However, “one testflight app, a cloned repository and a known vscode/cursor vulnerability later,” they had the foundation to execute the attack, Vet noted.
Vet notes that all major $XRP projects have the credentials to their ops accounts, repository merge access and backend systems, adding that only the paranoid ones will survive. He urges caution among XRPL users amid an increasing number of builders enabled by vibe-coded projects and rising $XRP IRL events.