Login
Sign Up
Solana-based decentralized finance yield protocol Carrot announced on Thursday its permanent shutdown, marking it as a primary casualty of the contagion stemming from the Drift Protocol exploit in early April. The protocol described the incident as catastrophic, stating that the financial damage rendered continued operations impossible. In a public statement, the team established a May 14 deadline for users to withdraw remaining funds from Boost, Turbo, and CRT products before initiating system deleveraging. The announcement clarified that while deposited funds remain the property of users, all leverage positions will be reduced to zero to free up liquidity for CRT redemption. The team also pledged to support ongoing recovery efforts related to Drift and distribute assets once they become available.
The root cause of this collapse was the highly coordinated attack on Drift Protocol on April 1, which stands as the second-largest exploit of 2026. This breach involved months of social engineering by a hacker group that successfully gained admin control and drained more than half of the protocol's total value locked. The fallout extended beyond Drift, spreading contagion to several affiliated projects including the yield protocol Gauntlet, the lending and borrowing platform PrimeFi, and the crypto fund Elemental DeFi. Carrot was deeply integrated with Drift's infrastructure, relying on its pools to generate yield for its user base, making it uniquely vulnerable to the infrastructure failure.
Data compiled by Woofun AI shows that Carrot's total value locked (TVL) collapsed from approximately 28 million before the Drift hack to just 1.99 million currently. This represents a decrease of roughly 93%, effectively wiping out the majority of the protocol's liquidity. The severity of the April security landscape is further highlighted by broader market metrics. DefiLlama data indicates that nearly 630 million worth of digital assets were stolen across 25 incidents in April alone. This volume makes April the month with the largest losses since February 2025, when 1.47 billion was stolen in a separate series of attacks.
The two largest exploits of 2026 so far are the 293 million hack on the liquid staking protocol Kelp and the 285 million breach of Drift. Together, these two attacks account for more than 90% of all crypto stolen in April, underscoring the concentration of risk within specific high-value infrastructure targets. The Drift exploit, in particular, demonstrated how a single point of failure in a major lending or derivatives protocol can trigger systemic insolvency for dependent yield aggregators like Carrot. Woofun AI notes that the reliance on shared liquidity pools without sufficient isolation mechanisms created a domino effect that few protocols could withstand.
The immediate operational response involves a forced deleveraging process to stabilize the remaining balance sheet. By reducing all leverage to zero, the protocol aims to maximize the amount of capital available for user redemptions before the final shutdown. This strategy acknowledges that the protocol can no longer sustain its yield generation model without the underlying Drift infrastructure. The May 14 deadline serves as a critical juncture for users to secure their remaining assets before the system is fully wound down.
Woofun AI analysis suggests that the April 2026 security incidents signal a shift in attacker sophistication, moving from opportunistic exploits to months-long social engineering campaigns targeting admin controls. The sheer scale of the 285 million loss at Drift and the subsequent collapse of Carrot highlight the fragility of interconnected DeFi ecosystems on Solana. As the industry processes these losses, the focus will likely shift toward auditing cross-protocol dependencies and implementing stricter isolation protocols to prevent similar contagion events in the future.