Carrot Protocol Ceases Operations
In a significant development within the DeFi landscape, the yield protocol Carrot, built on the Solana blockchain, has announced its decision to permanently cease operations following substantial financial losses linked to the exploit of the Drift Protocol. Carrot’s team conveyed this decision in a statement shared on X, emphasizing the dire consequences of the April 1 incident, which they described as “catastrophic”.
Withdrawal Deadline and Financial Impact
As a result of the attack, Carrot has set a critical deadline of May 14 for users to withdraw their remaining funds from the platform’s Boost, Turbo, and CRT services. The team reassured users that they still own their deposited funds, clarifying that all leverage would be eliminated to enable liquidity for CRT redemptions. Following the hack, Carrot’s total value locked (TVL) plummeted dramatically from approximately $28 million to about $1.99 million, reflecting a staggering decline of 93%.
Details of the Exploit
The exploit orchestrated against Drift Protocol was notably complex, with the attackers purportedly conducting extensive reconnaissance over several months. They built rapport with project stakeholders through both in-person engagements at crypto conferences and continuous interactions, allowing them to gain trust prior to executing the attack. Estimates suggest that the damage inflicted by this exploit may be as high as $280 million.
Further investigation reveals that contact with the perpetrators dates as far back as October 2025. During that time, individuals masquerading as representatives from a quantitative trading firm approached contributors, maintaining their cover through subsequent industry events. This fraudulent engagement ultimately led to the compromise of critical devices and the subsequent exploit.
Broader Implications and Industry Impact
Drift has expressed moderate to high confidence that the same group may have been behind a previous breach involving Radiant Capital in October 2024, which resulted in losses exceeding $58 million due to malware spread via Telegram. Moreover, the repercussions of the Drift incident have not only affected Carrot; other projects associated with Drift, such as Gauntlet, PrimeFi, and Elemental DeFi, are encountering disruptions following the exploit.
The broader DeFi environment appears to be under pressure, with data from DefiLlama indicating that April saw nearly $630 million in cryptocurrency losses across 25 separate incidents, marking it as the most costly month for exploits since February 2025, which suffered losses amounting to $1.47 billion. Among the incidents, the attack on Kelp remains the largest for 2026, totaling $293 million, followed closely by the Drift exploit, which represents a significant portion of April’s overall losses.
