Warning to XRP Developers
In a concerning update for the cryptocurrency community, an XRP Ledger validator who goes by the name Vet has issued a strong advisory to developers operating on the XRP platform to be vigilant against a shocking social engineering scheme that recently led to a staggering $280 million theft from Solana’s Drift Protocol.
Details of the Incident
This incident, which unfolded on the first of April, marks a significant milestone in the realm of decentralized finance (DeFi), being recognized as the largest hack of 2026 and the second most substantial exploit in Solana’s short history, surpassed only by the notorious Wormhole bridge hack that siphoned off $326 million in 2022.
The breach was executed in an alarmingly swift manner, with attackers managing to extract an approximate $285 million in user funds from Drift Protocol, the foremost decentralized perpetual futures exchange on the Solana network, within a mere 12 minutes. Following the theft, most of the diverted assets were quickly moved to the Ethereum blockchain just hours later.
Mechanics of the Breach
Unpacking the mechanics of this breach reveals that the vulnerability exploited was not merely a flaw within smart contracts. Instead, the attackers employed advanced social engineering techniques to manipulate multisig signers into approving concealed authorizations, compounded by a zero-timelock transition of the Security Council, which left the protocol defenseless.
Insights from Drift Protocol
On April 5, Drift Protocol released a comprehensive update to shed light on the incident. In their engagement with this update, Vet highlighted the intricacy of the social engineering efforts that led to the exploit, emphasizing that the meticulous planning of the perpetrators spanned over six months. This period allowed them to cultivate relationships with key protocol developers, through personal interactions at industry conferences, informal meetings, and even substantial financial contributions—a notable $1 million to a vault.
Vet pointed out that the attackers deceived developers through familiarity, developing trust that ultimately enabled them to execute their malicious plan. All it took was “one testflight app, a cloned repository, and a known vscode/cursor vulnerability,” as noted by Vet, for the attackers to unleash their plans.
Final Caution
Furthermore, Vet cautioned that all significant XRP initiatives should be cognizant of the access they provide to operation accounts, repository merging rights, and backend systems. The underlying message is clear: only those who take the threat of social engineering seriously will endure the competitive and perilous landscape of the cryptocurrency world. With an increasing number of projects emerging on the XRP Ledger—often reliant on vibe-based coding and real-world events—Vet strongly encourages XRPL users to exercise heightened caution and due diligence.
