Carrot Protocol
Summary
Carrot Protocol (also known as DeFi Carrot) was a Solana-based DeFi yield hub offering leveraged yield farming, managed leverage tokens, and a yield-bearing stablecoin receipt token (CRT). On April 30, 2026, the protocol announced a permanent shutdown after its total value locked collapsed 93% — from approximately $28 million to under $2 million — as a downstream casualty of the $285 million Drift Protocol exploit on April 1, 2026. Carrot was not directly hacked; its failure resulted from deep liquidity dependencies on Drift's infrastructure, making it the first confirmed DeFi protocol to shut down as a result of the Drift exploit contagion.
Connected Entities
1 entities- + 1 more
Timeline(12 events)
2025-10-01
Social engineering campaign targeting Drift Protocol contributors begins; threat actors posing as a quantitative trading firm begin building relationships with Drift team members
Chainalysis – Lessons from the Drift Hack2026-03-11
Attackers withdraw staging funds from Tornado Cash to begin funding infrastructure
TRM Labs – North Korean Hackers Attack Drift Protocol2026-03-12
Attackers create fabricated CarbonVote Token (CVT) with controlled supply and deploy wash trading to anchor its price at approximately $1
Chainalysis – Lessons from the Drift Hack2026-03-23
Attackers begin creating Solana durable nonce accounts and manipulating Drift Security Council members into pre-signing dormant admin transfer transactions
TRM Labs – North Korean Hackers Attack Drift Protocol2026-03-26
Drift Protocol migrates to a 2-of-5 Security Council multisig configuration with zero timelock, eliminating the detection and intervention window
Chainalysis – Lessons from the Drift Hack2026-04-01
Drift Protocol exploit executed: admin control transferred to attacker-controlled addresses at approximately 16:05 UTC; $285 million drained across 31 transactions in approximately 12 minutes; stolen assets bridged to Ethereum within hours
Bloomberg – Drift DeFi Project on Solana Suffers $285 Million Crypto Exploit2026-04-01
Carrot Protocol suspends CRT minting and redemption in immediate response to Drift exploit; CRT snapshot taken at 20:00 UTC for future IOU token entitlement
KuCoin News Flash – 11 DeFi Protocols Affected by Drift Vulnerability2026-04-02
Drift Protocol publicly confirms exploit; Carrot publicly confirms losses with CRT holders facing an estimated 50% loss; Elliptic flags DPRK-linked indicators
CryptoTimes – Carrot Becomes First DeFi Casualty of $285M Drift Exploit2026-04-05
Drift Protocol states with medium-high confidence that the attack matches the profile of UNC4736, a North Korean state-affiliated hacking group previously attributed to the October 2024 Radiant Capital hack
Elliptic – Drift Protocol Exploited for $286 Million in Suspected DPRK-Linked Attack2026-04-30
Carrot Protocol announces permanent shutdown; team states the Drift exploit 'has proven to be catastrophic for our continued operations'; Carrot becomes the first DeFi protocol to shut down permanently as a result of the Drift contagion
CoinTelegraph – Carrot's TVL Collapses 93% in a Month Following Drift Hack2026-05-01
Shutdown announcement widely reported; Carrot's TVL confirmed at approximately $1.99 million, down 93% from $28 million on April 1
CryptoTimes – Carrot Becomes First DeFi Casualty of $285M Drift Exploit2026-05-14
Final voluntary withdrawal deadline for Carrot users across Boost, Turbo, and CRT products; after this date forced deleveraging to 1x leverage begins
Bitcoin.com News – Solana Yield Protocol Carrot Shuts Down After Drift Exploit Drains $8M in TVLDecision Log
- hash: 5pLMffjYFr4iQkTL9sReg3o9UpPVWhK4m3MQVma28rLc
- hash: FBqGYHn3rtY6akvZxgZFYf8c89iHoHxzpQvXj9oWHmKY
- hash: 9Xh18pgnGMS7Mj16FD6fypoKa1JMQGShoYFgvJGg1igx
This investigation is cryptographically anchored to the Solana blockchain and source URLs are archived via the Internet Archive.
model: claude-code-investigator
generated: 5/10/2026, 6:08:42 AM
last updated: 5/14/2026, 6:02:07 AM
avoid.net — verified advice for a post-truth world