Skip to main content
Sign in

Carrot Protocol

avoid.net/carrot-protocol32/100·78% conf.
[AI-DRAFTED · AWAITING VERIFICATION]

Summary

Carrot Protocol (also known as DeFi Carrot) was a Solana-based DeFi yield hub offering leveraged yield farming, managed leverage tokens, and a yield-bearing stablecoin receipt token (CRT). On April 30, 2026, the protocol announced a permanent shutdown after its total value locked collapsed 93% — from approximately $28 million to under $2 million — as a downstream casualty of the $285 million Drift Protocol exploit on April 1, 2026. Carrot was not directly hacked; its failure resulted from deep liquidity dependencies on Drift's infrastructure, making it the first confirmed DeFi protocol to shut down as a result of the Drift exploit contagion.

Have evidence about Carrot Protocol?

No evidence submitted yet — be the first.

On-chain audit

Editorial decisions, corrections, and updates are anchored on Solana.

audit log →version history →

Protocol Overview

Carrot Protocol, branded as 'DeFi Carrot' and accessible at deficarrot.com and use.deficarrot.com, was a DeFi hub deployed on the Solana blockchain. Its stated mission was to make DeFi yield simple and accessible. The protocol offered three primary products: CRT (Earn), a yield-bearing stablecoin receipt token that automatically routed user-deposited stablecoins (USDC, USDT, PYUSD) across 8 or more Solana lending protocols for continuous yield optimization; Boost, a leveraged yield farming product accepting yield-bearing assets such as JLP, FLP, and ONyc as collateral; and Turbo, a managed leveraged token product providing exposure to assets including SOL, BTC, and GOLD without liquidation risk. The protocol also offered a Lend and Borrow module with isolated lending pools. According to its documentation, Carrot was audited by Sec3 and MadShield and charged zero management fees across all products. The official Twitter account is @DeFiCarrot. Carrot operated for more than two years before its closure. No specific founding date, team names, or headquarters information was publicly disclosed in sources reviewed.

Sources

The Drift Protocol Exploit (Root Cause)

On April 1, 2026, Drift Protocol — at the time the largest DeFi lending platform on Solana with approximately $550 million in total value locked — was exploited for approximately $285 to $286 million. The attack was the largest DeFi hack of 2026 and the second-largest security incident in Solana's history, behind only the $326 million Wormhole bridge exploit of 2022. The attack was not a smart contract bug exploit. It combined a months-long social engineering campaign with a technical manipulation of Solana's durable nonce feature. Beginning in the fall of 2025, threat actors posing as a legitimate quantitative trading firm built relationships with Drift contributors, depositing over $1 million to establish credibility. Between March 23 and March 30, 2026, attackers induced Drift Security Council members to pre-sign dormant transactions using Solana's durable nonce mechanism — a feature allowing transactions to be signed in advance for later execution. On March 26, Drift migrated to a 2-of-5 threshold Security Council multisig configuration with a zero timelock, eliminating the intervention window needed for detection. On March 12, attackers created a fabricated asset called CarbonVote Token (CVT), seeded a small liquidity pool, and wash-traded it to anchor its price at approximately $1, then deployed a controlled price oracle feeding that artificial valuation to Drift's system. At approximately 16:05 UTC on April 1, two transactions executed one second apart transferred administrative control to attacker-controlled addresses. Attackers then whitelisted CVT as collateral with effectively unlimited borrowing limits, deposited 500 million CVT, and systematically withdrew real assets including USDC ($71.4 million), JLP ($159.3 million), and cbBTC ($11.3 million) across 31 transactions in approximately 12 minutes. Stolen funds were swapped to USDC via Solana DEX aggregators, bridged to Ethereum, and converted to ETH within hours. Attribution for the attack points to North Korean (DPRK) state-sponsored actors. Elliptic assessed the operation matches the October 2024 Radiant Capital hack attributed by Mandiant to UNC4736 with medium-high confidence. TRM Labs identified indicators consistent with DPRK tradecraft including initial funding withdrawn from Tornado Cash on March 11, timing patterns aligned with the Pyongyang timezone, and attack sophistication consistent with state-sponsored operations. Chainalysis noted the attack illustrates that 'the greatest risks are no longer just in smart contracts, but in the systems, and people, that surround them.'

Sources

TVL Collapse and Financial Impact on Carrot

Carrot Protocol's total value locked stood at approximately $28 million immediately before the April 1, 2026 Drift exploit. Within days of the attack, Carrot's TVL began a steep decline as its liquidity positions within Drift's vaults became impaired. By the time the shutdown was announced on April 30, TVL had declined to approximately $1.99 million — a collapse of roughly 93% in one month. The direct financial impairment to Carrot from Drift exposure is reported at approximately $8 million. The CRT token's net asset value dropped to approximately $57.52 to $57.58 per unit by mid-April, reflecting the losses absorbed within the CRT vault strategy. At the time of the shutdown announcement, DefiLlama recorded Carrot's TVL at approximately $1.82 million with active loans of approximately $690,000 and CRT token liquidity of approximately $104,000 split between Orca DEX ($65,000) and Raydium AMM ($39,000). The protocol's heavy reliance on Drift for yield generation across all three products (Boost, Turbo, and CRT) meant that Drift's compromise propagated directly into Carrot's balance sheet. Approximately 50% of Carrot's TVL was reportedly at risk from Drift exposure at the time of the exploit.

Sources

Permanent Shutdown and Wind-Down Mechanics

Carrot Protocol announced its permanent closure on April 30, 2026 (with some sources citing May 1, 2026 as the publication date of the announcement). The team's official statement read: 'Carrot is shutting down. This is certainly not the outcome we wanted, but the situation with the Drift exploit has proven to be catastrophic for our continued operations.' The protocol established May 14, 2026 as the final deadline for voluntary user withdrawals from all three products: Boost, Turbo, and CRT. After that date, the team stated it would begin forced deleveraging of all positions to 1x leverage, freeing up liquidity for CRT token redemption. The team confirmed that deposited funds remain user property throughout the wind-down and that no management fees would be charged during the process. An IOU token mechanism was established for users who had exposure to Drift-related losses. Distribution of any recovered Drift assets would be proportional, based on a snapshot of CRT holdings taken at April 1, 2026 at 20:00 UTC — the time of the exploit. The protocol stated that CRT redemption claims would be preserved regardless of whether users redeemed their CRT tokens before or after withdrawal. No timeline was provided for when Drift recovery distributions would occur. The suspension of CRT minting and redemption was first reported in the immediate aftermath of the April 1 exploit, indicating the protocol was aware of its exposure within hours of the attack.

Sources

Broader DeFi Contagion and Downstream Protocol Impact

The Drift exploit triggered a cascading contagion event across the Solana DeFi ecosystem. Early reports identified 11 protocols with immediate disruptions; that number grew to at least 20 as further integrations were uncovered. Protocols confirmed as affected include: DeFi Carrot (minting and redemption suspended, later shut down); Ranger Finance (approximately $900,000 in losses, representing 6% of its TVL); Pyra (card functionality suspended); Asgard Finance (disabled Drift-related credit sources); Fuse Wallet (paused Earn product deposits); xPlace (paused Savings product deposits and withdrawals); Reflect Money; Neutral Trade; Elemental DeFi; Project 0; Lulo Finance; Gauntlet (estimated $6.4 million impact); PrimeFi; Prime Numbers Fi (losses reportedly exceeding $10 million); PiggyBank; Perena; Vectis; Valeo; Amp Pay; Loopscale; Exponent; and Pyra. Carrot was identified as the first protocol to shut down permanently as a result of the contagion. April 2026 was the worst month for DeFi losses since February 2025, with approximately $630 million stolen across 25 separate incidents. The Drift exploit ($285 million) and the Kelp DAO exploit, together, accounted for more than 90% of all crypto stolen in April 2026.

Sources

DeFi Composability Risk and Systemic Lessons

The Carrot Protocol shutdown illustrates the systemic risk inherent in DeFi composability — the practice of building protocol functionality on top of other protocols' liquidity, oracles, and infrastructure. Carrot was not compromised directly; its failure was entirely downstream of a compromise in a protocol it depended upon. Chainalysis observed that the Drift incident demonstrated that DeFi risks are 'no longer just in smart contracts, but in the systems, and people, that surround them.' Three specific systemic vulnerabilities were identified in post-incident analysis: the removal of timelocks on governance and admin actions eliminated the detection window necessary for intervention; the use of Solana's durable nonce mechanism to pre-sign admin transactions created a latent attack surface that bypassed real-time oversight; and the absence of oracle design safeguards — such as minimum liquidity thresholds, time-weighted price validation, and circuit breakers — allowed an artificially priced fabricated token to be accepted as hundreds of millions of dollars in collateral. TRM Labs noted that multisig signers require robust independent verification processes for any transaction touching admin functions. For users of aggregator and leverage protocols like Carrot, the incident demonstrated that yield optimization across multiple venues introduces concentration risk to the least-secure underlying protocol in the stack. Carrot's architecture, which routed capital across 8 or more Solana lending protocols automatically, maximized yield efficiency at the cost of exposure to any single protocol failure within the network.

Sources

Security Audits and Pre-Shutdown Risk Profile

According to Carrot Protocol's official documentation, the protocol's smart contracts were audited by Sec3 and MadShield prior to the shutdown. Both are Solana-focused security audit firms. No publicly available audit reports or specific audit findings were located during this investigation. The audits, if complete, would have covered Carrot's own smart contracts; they would not have addressed the upstream counterparty risk posed by Drift Protocol's governance structure or the social engineering vulnerability that ultimately caused the cascade. The protocol offered zero management fees and disclosed in its documentation that 'every product carries risk,' though specific risk disclosures regarding counterparty concentration or upstream protocol dependency do not appear to have been prominently featured. No history of direct security incidents affecting Carrot's own contracts was found.

Sources

User Impact and Recovery Status

Users of all three Carrot products — Boost, Turbo, and CRT — were affected by the shutdown. As of the shutdown announcement, users retained legal ownership of their deposited funds and were given until May 14, 2026 to voluntarily withdraw. After that deadline, the protocol committed to force-deleveraging all positions to 1x leverage, freeing underlying liquidity for CRT token redemption. Users with CRT positions face partial losses on the portion of the vault's assets that were exposed to Drift. The CRT token's NAV dropped to approximately $57.52 to $57.58 by mid-April 2026, indicating meaningful impairment relative to its par value. Future recovery from any assets reclaimed through Drift's incident response or legal action will be distributed via an IOU token, with entitlement based on a CRT snapshot taken at April 1, 2026 at 20:00 UTC. The team stated that claims would be preserved regardless of when users redeemed their CRT tokens. No timeline for IOU token distributions was provided. The recovery amount and timeline remain uncertain and depend on Drift Protocol's own recovery proceedings.

Sources

Timeline

2025-10-01

Social engineering campaign targeting Drift Protocol contributors begins; threat actors posing as a quantitative trading firm begin building relationships with Drift team members

Chainalysis – Lessons from the Drift Hack

2026-03-11

Attackers withdraw staging funds from Tornado Cash to begin funding infrastructure

TRM Labs – North Korean Hackers Attack Drift Protocol

2026-03-12

Attackers create fabricated CarbonVote Token (CVT) with controlled supply and deploy wash trading to anchor its price at approximately $1

Chainalysis – Lessons from the Drift Hack

2026-03-23

Attackers begin creating Solana durable nonce accounts and manipulating Drift Security Council members into pre-signing dormant admin transfer transactions

TRM Labs – North Korean Hackers Attack Drift Protocol

2026-03-26

Drift Protocol migrates to a 2-of-5 Security Council multisig configuration with zero timelock, eliminating the detection and intervention window

Chainalysis – Lessons from the Drift Hack

2026-04-01

Drift Protocol exploit executed: admin control transferred to attacker-controlled addresses at approximately 16:05 UTC; $285 million drained across 31 transactions in approximately 12 minutes; stolen assets bridged to Ethereum within hours

Bloomberg – Drift DeFi Project on Solana Suffers $285 Million Crypto Exploit

2026-04-01

Carrot Protocol suspends CRT minting and redemption in immediate response to Drift exploit; CRT snapshot taken at 20:00 UTC for future IOU token entitlement

KuCoin News Flash – 11 DeFi Protocols Affected by Drift Vulnerability

2026-04-02

Drift Protocol publicly confirms exploit; Carrot publicly confirms losses with CRT holders facing an estimated 50% loss; Elliptic flags DPRK-linked indicators

CryptoTimes – Carrot Becomes First DeFi Casualty of $285M Drift Exploit

2026-04-05

Drift Protocol states with medium-high confidence that the attack matches the profile of UNC4736, a North Korean state-affiliated hacking group previously attributed to the October 2024 Radiant Capital hack

Elliptic – Drift Protocol Exploited for $286 Million in Suspected DPRK-Linked Attack

2026-04-30

Carrot Protocol announces permanent shutdown; team states the Drift exploit 'has proven to be catastrophic for our continued operations'; Carrot becomes the first DeFi protocol to shut down permanently as a result of the Drift contagion

CoinTelegraph – Carrot's TVL Collapses 93% in a Month Following Drift Hack

2026-05-01

Shutdown announcement widely reported; Carrot's TVL confirmed at approximately $1.99 million, down 93% from $28 million on April 1

CryptoTimes – Carrot Becomes First DeFi Casualty of $285M Drift Exploit

2026-05-14

Final voluntary withdrawal deadline for Carrot users across Boost, Turbo, and CRT products; after this date forced deleveraging to 1x leverage begins

Bitcoin.com News – Solana Yield Protocol Carrot Shuts Down After Drift Exploit Drains $8M in TVL

model: claude-code-investigator

generated: 5/10/2026, 6:08:42 AM

last updated: 5/10/2026, 6:08:42 AM

avoid.net — verified advice for a post-truth world