← Carrot Protocol3 decisions on this page

Audit log

Every state-changing event for Carrot Protocol: moderation decisions on community submissions, plus corrections and updates from the news pipeline. URL-based decisions carry three independent witnesses — the original source, an Internet Archive snapshot taken at submission time, and a Solana memo signed by our publicly-disclosed publisher key.

#1reviewby reviewerreviewer
2026-05-12 21:44:41Z
Score: 32 → 32 (no score change)
The Carrot Protocol investigation page is substantially accurate and well-sourced. The core narrative — that Carrot shut down as a downstream casualty of the April 1, 2026 Drift Protocol exploit — is confirmed by multiple independent sources. The most significant factual error is the characterization of Drift Protocol as 'the largest DeFi lending platform on Solana' when it is consistently described by authoritative sources (Chainalysis, QuillAudits, Drift's own documentation) as a perpetual futures DEX. Secondary issues include a one-day discrepancy in the multisig migration date (March 26 vs. March 27), a transaction count discrepancy (31 vs. 33), a disputed claim that Carrot 'operated for more than two years' given a 2024 founding, and minor imprecision in the April 2026 monthly incident count (page says 25, most authoritative sources say 28-30). The Drift TVL, exploit amount, asset breakdown, DPRK attribution, and Carrot wind-down mechanics are all well-supported.
anchoranchored
chain
●mainnet-betaslot 419,337,708
sig
5UUanbjJ3CeR…br3kNhqBexplorer ↗
hash
9Xh18pgnGMS7…vJGg1igxsha256 → base58
verifying row…full verify ↗
canonical bytes (1333 B) ▸
{"actor":"reviewer","decided_at":"2026-05-12T21:44:41.095Z","decision":"review","investigation_id":"66deb8ba-9978-4277-ac06-a4590184fe62","new_score":32,"page_slug":"carrot-protocol","prev_score":32,"reason":"The Carrot Protocol investigation page is substantially accurate and well-sourced. The core narrative — that Carrot shut down as a downstream casualty of the April 1, 2026 Drift Protocol exploit — is confirmed by multiple independent sources. The most significant factual error is the characterization of Drift Protocol as 'the largest DeFi lending platform on Solana' when it is consistently described by authoritative sources (Chainalysis, QuillAudits, Drift's own documentation) as a perpetual futures DEX. Secondary issues include a one-day discrepancy in the multisig migration date (March 26 vs. March 27), a transaction count discrepancy (31 vs. 33), a disputed claim that Carrot 'operated for more than two years' given a 2024 founding, and minor imprecision in the April 2026 monthly incident count (page says 25, most authoritative sources say 28-30). The Drift TVL, exploit amount, asset breakdown, DPRK attribution, and Carrot wind-down mechanics are all well-supported.","score_delta":0,"sequence_num":1,"submission_content_hash":null,"submission_id":null,"submission_kind":null,"submission_valence":null,"v":1}
Verify offline (run on your own machine)
python -m src.verify_decision a58e875c-dd59-4401-9949-fb4f6b2947b4
#2review reviseby judgejudge
2026-05-12 21:44:41Z
Score: 32 → 24 (-8)
The core narrative — Carrot Protocol shut down as a downstream casualty of the April 1, 2026 Drift exploit — is well-supported across 19 confirmed claims and multiple Tier 1 sources (Chainalysis, TRM Labs, Elliptic). Disputed claims total 7% of reviewed claims, within the approve band, but two issues require correction before the page is clean. First, claim_findings[7] misidentifies Drift Protocol as 'the largest DeFi lending platform on Solana' when authoritative sources including Chainalysis and QuillAudits consistently describe it as a perpetual futures DEX; this error appears in the critical-severity exploit section and should be corrected. Second, claim_findings[3] overstates that Carrot 'operated for more than two years' — Tracxn shows a 2024 founding and a May 2025 seed round, putting live operation at roughly one year. Additionally, the review identified a high-priority coverage gap: the May 14, 2026 voluntary withdrawal deadline has now passed, and the page does not yet document the current status of forced deleveraging, IOU token issuance, or the $148M Tether recovery package available to Drift-exposed protocols. These items are expected to be updated as a condition of approval.
anchoranchored
chain
●mainnet-betaslot 419,337,711
sig
2dc1isgjBurE…JJ2U1B7pexplorer ↗
hash
FBqGYHn3rtY6…j9oWHmKYsha256 → base58
verifying row…full verify ↗
canonical bytes (1563 B) ▸
{"actor":"judge","decided_at":"2026-05-12T21:44:41.095Z","decision":"review_revise","investigation_id":"66deb8ba-9978-4277-ac06-a4590184fe62","new_score":24,"page_slug":"carrot-protocol","prev_score":32,"reason":"The core narrative — Carrot Protocol shut down as a downstream casualty of the April 1, 2026 Drift exploit — is well-supported across 19 confirmed claims and multiple Tier 1 sources (Chainalysis, TRM Labs, Elliptic). Disputed claims total 7% of reviewed claims, within the approve band, but two issues require correction before the page is clean. First, claim_findings[7] misidentifies Drift Protocol as 'the largest DeFi lending platform on Solana' when authoritative sources including Chainalysis and QuillAudits consistently describe it as a perpetual futures DEX; this error appears in the critical-severity exploit section and should be corrected. Second, claim_findings[3] overstates that Carrot 'operated for more than two years' — Tracxn shows a 2024 founding and a May 2025 seed round, putting live operation at roughly one year. Additionally, the review identified a high-priority coverage gap: the May 14, 2026 voluntary withdrawal deadline has now passed, and the page does not yet document the current status of forced deleveraging, IOU token issuance, or the $148M Tether recovery package available to Drift-exposed protocols. These items are expected to be updated as a condition of approval.","score_delta":-8,"sequence_num":2,"submission_content_hash":null,"submission_id":null,"submission_kind":null,"submission_valence":null,"v":1}
Verify offline (run on your own machine)
python -m src.verify_decision 6e105e5d-83c1-48ca-a1bb-22ee4920e72b
#3publishby system:backfill
2026-05-14 06:02:07Z
Score: ? → ? (no score change)
anchoranchored
chain
●mainnet-betaslot 419,628,774
sig
66LLnNG8pUv4…hb213hqVexplorer ↗
hash
5pLMffjYFr4i…Vma28rLcsha256 → base58
verifying row…full verify ↗
canonical bytes (28762 B) ▸
{"actor":"system:backfill","investigation_id":"66deb8ba-9978-4277-ac06-a4590184fe62","kind":"publish","page_slug":"carrot-protocol","published_at":"2026-05-14T06:02:07.678Z","sequence_num":3,"snapshot":{"content_type":"investigation","entity_name":"Carrot Protocol","sections":[{"content":"Carrot Protocol, branded as 'DeFi Carrot' and accessible at deficarrot.com and use.deficarrot.com, was a DeFi hub deployed on the Solana blockchain. Its stated mission was to make DeFi yield simple and accessible. The protocol offered three primary products: CRT (Earn), a yield-bearing stablecoin receipt token that automatically routed user-deposited stablecoins (USDC, USDT, PYUSD) across 8 or more Solana lending protocols for continuous yield optimization; Boost, a leveraged yield farming product accepting yield-bearing assets such as JLP, FLP, and ONyc as collateral; and Turbo, a managed leveraged token product providing exposure to assets including SOL, BTC, and GOLD without liquidation risk. The protocol also offered a Lend and Borrow module with isolated lending pools. According to its documentation, Carrot was audited by Sec3 and MadShield and charged zero management fees across all products. The official Twitter account is @DeFiCarrot. Carrot operated for more than two years before its closure. No specific founding date, team names, or headquarters information was publicly disclosed in sources reviewed.","heading":"Protocol Overview","severity":"low","sources":[{"credibility":2,"name":"Carrot Protocol Official Documentation","type":"official","url":"https://docs.deficarrot.com/"},{"credibility":2,"name":"Carrot Protocol – DefiLlama TVL Dashboard","type":"on_chain","url":"https://defillama.com/protocol/carrot"},{"credibility":3,"name":"Carrot Protocol – SolaDEX Project Listing","type":"other","url":"https://www.soladex.io/project/carrot"}]},{"content":"On April 1, 2026, Drift Protocol — at the time the largest DeFi lending platform on Solana with approximately $550 million in total value locked — was exploited for approximately $285 to $286 million. The attack was the largest DeFi hack of 2026 and the second-largest security incident in Solana's history, behind only the $326 million Wormhole bridge exploit of 2022. The attack was not a smart contract bug exploit. It combined a months-long social engineering campaign with a technical manipulation of Solana's durable nonce feature. Beginning in the fall of 2025, threat actors posing as a legitimate quantitative trading firm built relationships with Drift contributors, depositing over $1 million to establish credibility. Between March 23 and March 30, 2026, attackers induced Drift Security Council members to pre-sign dormant transactions using Solana's durable nonce mechanism — a feature allowing transactions to be signed in advance for later execution. On March 26, Drift migrated to a 2-of-5 threshold Security Council multisig configuration with a zero timelock, eliminating the intervention window needed for detection. On March 12, attackers created a fabricated asset called CarbonVote Token (CVT), seeded a small liquidity pool, and wash-traded it to anchor its price at approximately $1, then deployed a controlled price oracle feeding that artificial valuation to Drift's system. At approximately 16:05 UTC on April 1, two transactions executed one second apart transferred administrative control to attacker-controlled addresses. Attackers then whitelisted CVT as collateral with effectively unlimited borrowing limits, deposited 500 million CVT, and systematically withdrew real assets including USDC ($71.4 million), JLP ($159.3 million), and cbBTC ($11.3 million) across 31 transactions in approximately 12 minutes. Stolen funds were swapped to USDC via Solana DEX aggregators, bridged to Ethereum, and converted to ETH within hours. Attribution for the attack points to North Korean (DPRK) state-sponsored actors. Elliptic assessed the operation matches the October 2024 Radiant Capital hack attributed by Mandiant to UNC4736 with medium-high confidence. TRM Labs identified indicators consistent with DPRK tradecraft including initial funding withdrawn from Tornado Cash on March 11, timing patterns aligned with the Pyongyang timezone, and attack sophistication consistent with state-sponsored operations. Chainalysis noted the attack illustrates that 'the greatest risks are no longer just in smart contracts, but in the systems, and people, that surround them.'","heading":"The Drift Protocol Exploit (Root Cause)","severity":"critical","sources":[{"credibility":1,"name":"Bloomberg – Drift DeFi Project on Solana Suffers $285 Million Crypto Exploit","type":"news_article","url":"https://www.bloomberg.com/news/articles/2026-04-01/solana-based-defi-project-drift-hit-by-285-million-exploit"},{"credibility":1,"name":"Chainalysis – Lessons from the Drift Hack","type":"research","url":"https://www.chainalysis.com/blog/lessons-from-the-drift-hack/"},{"credibility":1,"name":"TRM Labs – North Korean Hackers Attack Drift Protocol in $285 Million Heist","type":"research","url":"https://www.trmlabs.com/resources/blog/north-korean-hackers-attack-drift-protocol-in-285-million-heist"},{"credibility":1,"name":"Elliptic – Drift Protocol Exploited for $286 Million in Suspected DPRK-Linked Attack","type":"research","url":"https://www.elliptic.co/blog/drift-protocol-exploited-for-286-million-in-suspected-dprk-linked-attack"},{"credibility":2,"name":"CoinDesk – North Korean Hackers Likely Behind the $286 Million Drift Protocol Exploit","type":"news_article","url":"https://www.coindesk.com/business/2026/04/02/north-koreans-hackers-likely-behind-the-usd286-million-drift-protocol-exploit-elliptic"},{"credibility":2,"name":"The Hacker News – $285 Million Drift Hack Traced to Six-Month DPRK Social Engineering Operation","type":"news_article","url":"https://thehackernews.com/2026/04/285-million-drift-hack-traced-to-six.html"}]},{"content":"Carrot Protocol's total value locked stood at approximately $28 million immediately before the April 1, 2026 Drift exploit. Within days of the attack, Carrot's TVL began a steep decline as its liquidity positions within Drift's vaults became impaired. By the time the shutdown was announced on April 30, TVL had declined to approximately $1.99 million — a collapse of roughly 93% in one month. The direct financial impairment to Carrot from Drift exposure is reported at approximately $8 million. The CRT token's net asset value dropped to approximately $57.52 to $57.58 per unit by mid-April, reflecting the losses absorbed within the CRT vault strategy. At the time of the shutdown announcement, DefiLlama recorded Carrot's TVL at approximately $1.82 million with active loans of approximately $690,000 and CRT token liquidity of approximately $104,000 split between Orca DEX ($65,000) and Raydium AMM ($39,000). The protocol's heavy reliance on Drift for yield generation across all three products (Boost, Turbo, and CRT) meant that Drift's compromise propagated directly into Carrot's balance sheet. Approximately 50% of Carrot's TVL was reportedly at risk from Drift exposure at the time of the exploit.","heading":"TVL Collapse and Financial Impact on Carrot","severity":"critical","sources":[{"credibility":2,"name":"CoinTelegraph – Carrot's TVL Collapses 93% in a Month Following Drift Hack","type":"news_article","url":"https://cointelegraph.com/news/defi-protocol-carrot-becomes-first-casualty-of-285m-drift-exploit"},{"credibility":2,"name":"CryptoTimes – Carrot Becomes First DeFi Casualty of $285M Drift Exploit","type":"news_article","url":"https://www.cryptotimes.io/2026/05/01/carrot-becomes-first-defi-casualty-of-285m-drift-exploit/"},{"credibility":2,"name":"Bitcoin.com News – Solana Yield Protocol Carrot Shuts Down After Drift Exploit Drains $8M in TVL","type":"news_article","url":"https://news.bitcoin.com/solana-yield-protocol-carrot-shuts-down-after-drift-exploit-drains-8m-in-tvl/"},{"credibility":2,"name":"Carrot Protocol – DefiLlama TVL Dashboard","type":"on_chain","url":"https://defillama.com/protocol/carrot"},{"credibility":2,"name":"CoinLaw – Solana DeFi Protocol Carrot Shuts Down After Drift Exploit Fallout","type":"news_article","url":"https://coinlaw.io/solana-defi-carrot-shutdown-drift-exploit/"}]},{"content":"Carrot Protocol announced its permanent closure on April 30, 2026 (with some sources citing May 1, 2026 as the publication date of the announcement). The team's official statement read: 'Carrot is shutting down. This is certainly not the outcome we wanted, but the situation with the Drift exploit has proven to be catastrophic for our continued operations.' The protocol established May 14, 2026 as the final deadline for voluntary user withdrawals from all three products: Boost, Turbo, and CRT. After that date, the team stated it would begin forced deleveraging of all positions to 1x leverage, freeing up liquidity for CRT token redemption. The team confirmed that deposited funds remain user property throughout the wind-down and that no management fees would be charged during the process. An IOU token mechanism was established for users who had exposure to Drift-related losses. Distribution of any recovered Drift assets would be proportional, based on a snapshot of CRT holdings taken at April 1, 2026 at 20:00 UTC — the time of the exploit. The protocol stated that CRT redemption claims would be preserved regardless of whether users redeemed their CRT tokens before or after withdrawal. No timeline was provided for when Drift recovery distributions would occur. The suspension of CRT minting and redemption was first reported in the immediate aftermath of the April 1 exploit, indicating the protocol was aware of its exposure within hours of the attack.","heading":"Permanent Shutdown and Wind-Down Mechanics","severity":"high","sources":[{"credibility":2,"name":"CoinTelegraph – Carrot's TVL Collapses 93% in a Month Following Drift Hack","type":"news_article","url":"https://cointelegraph.com/news/defi-protocol-carrot-becomes-first-casualty-of-285m-drift-exploit"},{"credibility":2,"name":"Bitcoin.com News – Solana Yield Protocol Carrot Shuts Down After Drift Exploit Drains $8M in TVL","type":"news_article","url":"https://news.bitcoin.com/solana-yield-protocol-carrot-shuts-down-after-drift-exploit-drains-8m-in-tvl/"},{"credibility":2,"name":"Crypto.news – Carrot Protocol to Shut Down After Drift Breach Wipes Out TVL","type":"news_article","url":"https://crypto.news/carrot-protocol-to-shut-down-after-drift-breach-wipes-out-tvl/"},{"credibility":2,"name":"KuCoin News Flash – 11 DeFi Protocols Affected by Drift Vulnerability, Partial Functions Suspended","type":"news_article","url":"https://www.kucoin.com/news/flash/11-defi-protocols-affected-by-drift-vulnerability-partial-functions-suspended"},{"credibility":2,"name":"MoneyCheck – Carrot DeFi Protocol Announces Permanent Closure Following Drift Security Breach","type":"news_article","url":"https://moneycheck.com/carrot-defi-protocol-announces-permanent-closure-following-drift-security-breach"}]},{"content":"The Drift exploit triggered a cascading contagion event across the Solana DeFi ecosystem. Early reports identified 11 protocols with immediate disruptions; that number grew to at least 20 as further integrations were uncovered. Protocols confirmed as affected include: DeFi Carrot (minting and redemption suspended, later shut down); Ranger Finance (approximately $900,000 in losses, representing 6% of its TVL); Pyra (card functionality suspended); Asgard Finance (disabled Drift-related credit sources); Fuse Wallet (paused Earn product deposits); xPlace (paused Savings product deposits and withdrawals); Reflect Money; Neutral Trade; Elemental DeFi; Project 0; Lulo Finance; Gauntlet (estimated $6.4 million impact); PrimeFi; Prime Numbers Fi (losses reportedly exceeding $10 million); PiggyBank; Perena; Vectis; Valeo; Amp Pay; Loopscale; Exponent; and Pyra. Carrot was identified as the first protocol to shut down permanently as a result of the contagion. April 2026 was the worst month for DeFi losses since February 2025, with approximately $630 million stolen across 25 separate incidents. The Drift exploit ($285 million) and the Kelp DAO exploit, together, accounted for more than 90% of all crypto stolen in April 2026.","heading":"Broader DeFi Contagion and Downstream Protocol Impact","severity":"high","sources":[{"credibility":2,"name":"CryptoTimes – Carrot Becomes First DeFi Casualty of $285M Drift Exploit","type":"news_article","url":"https://www.cryptotimes.io/2026/05/01/carrot-becomes-first-defi-casualty-of-285m-drift-exploit/"},{"credibility":2,"name":"KuCoin News Flash – 11 DeFi Protocols Affected by Drift Vulnerability, Partial Functions Suspended","type":"news_article","url":"https://www.kucoin.com/news/flash/11-defi-protocols-affected-by-drift-vulnerability-partial-functions-suspended"},{"credibility":2,"name":"Tekedia – 12 Protocols on Solana Currently Impacted by the Drift Protocol Hack","type":"news_article","url":"https://www.tekedia.com/12-protocols-on-solana-currently-impacted-by-the-drift-protocol-hack/"},{"credibility":2,"name":"FinanceFeeds – Carrot DeFi Platform Emerges as First Victim of $285M Drift Hack","type":"news_article","url":"https://financefeeds.com/carrot-defi-platform-emerges-as-first-victim/"},{"credibility":3,"name":"ainvest – Solana Yield Protocol Carrot Shuts Down Following $285M Drift Exploit","type":"news_article","url":"https://www.ainvest.com/news/solana-yield-protocol-carrot-shuts-285m-drift-exploit-2605/"}]},{"content":"The Carrot Protocol shutdown illustrates the systemic risk inherent in DeFi composability — the practice of building protocol functionality on top of other protocols' liquidity, oracles, and infrastructure. Carrot was not compromised directly; its failure was entirely downstream of a compromise in a protocol it depended upon. Chainalysis observed that the Drift incident demonstrated that DeFi risks are 'no longer just in smart contracts, but in the systems, and people, that surround them.' Three specific systemic vulnerabilities were identified in post-incident analysis: the removal of timelocks on governance and admin actions eliminated the detection window necessary for intervention; the use of Solana's durable nonce mechanism to pre-sign admin transactions created a latent attack surface that bypassed real-time oversight; and the absence of oracle design safeguards — such as minimum liquidity thresholds, time-weighted price validation, and circuit breakers — allowed an artificially priced fabricated token to be accepted as hundreds of millions of dollars in collateral. TRM Labs noted that multisig signers require robust independent verification processes for any transaction touching admin functions. For users of aggregator and leverage protocols like Carrot, the incident demonstrated that yield optimization across multiple venues introduces concentration risk to the least-secure underlying protocol in the stack. Carrot's architecture, which routed capital across 8 or more Solana lending protocols automatically, maximized yield efficiency at the cost of exposure to any single protocol failure within the network.","heading":"DeFi Composability Risk and Systemic Lessons","severity":"high","sources":[{"credibility":1,"name":"Chainalysis – Lessons from the Drift Hack","type":"research","url":"https://www.chainalysis.com/blog/lessons-from-the-drift-hack/"},{"credibility":1,"name":"TRM Labs – North Korean Hackers Attack Drift Protocol in $285 Million Heist","type":"research","url":"https://www.trmlabs.com/resources/blog/north-korean-hackers-attack-drift-protocol-in-285-million-heist"},{"credibility":2,"name":"CoinLaw – Solana DeFi Protocol Carrot Shuts Down After Drift Exploit Fallout","type":"news_article","url":"https://coinlaw.io/solana-defi-carrot-shutdown-drift-exploit/"},{"credibility":2,"name":"Carrot Protocol Official Documentation","type":"official","url":"https://docs.deficarrot.com/"}]},{"content":"According to Carrot Protocol's official documentation, the protocol's smart contracts were audited by Sec3 and MadShield prior to the shutdown. Both are Solana-focused security audit firms. No publicly available audit reports or specific audit findings were located during this investigation. The audits, if complete, would have covered Carrot's own smart contracts; they would not have addressed the upstream counterparty risk posed by Drift Protocol's governance structure or the social engineering vulnerability that ultimately caused the cascade. The protocol offered zero management fees and disclosed in its documentation that 'every product carries risk,' though specific risk disclosures regarding counterparty concentration or upstream protocol dependency do not appear to have been prominently featured. No history of direct security incidents affecting Carrot's own contracts was found.","heading":"Security Audits and Pre-Shutdown Risk Profile","severity":"medium","sources":[{"credibility":2,"name":"Carrot Protocol Official Documentation","type":"official","url":"https://docs.deficarrot.com/"}]},{"content":"Users of all three Carrot products — Boost, Turbo, and CRT — were affected by the shutdown. As of the shutdown announcement, users retained legal ownership of their deposited funds and were given until May 14, 2026 to voluntarily withdraw. After that deadline, the protocol committed to force-deleveraging all positions to 1x leverage, freeing underlying liquidity for CRT token redemption. Users with CRT positions face partial losses on the portion of the vault's assets that were exposed to Drift. The CRT token's NAV dropped to approximately $57.52 to $57.58 by mid-April 2026, indicating meaningful impairment relative to its par value. Future recovery from any assets reclaimed through Drift's incident response or legal action will be distributed via an IOU token, with entitlement based on a CRT snapshot taken at April 1, 2026 at 20:00 UTC. The team stated that claims would be preserved regardless of when users redeemed their CRT tokens. No timeline for IOU token distributions was provided. The recovery amount and timeline remain uncertain and depend on Drift Protocol's own recovery proceedings.","heading":"User Impact and Recovery Status","severity":"high","sources":[{"credibility":2,"name":"CoinTelegraph – Carrot's TVL Collapses 93% in a Month Following Drift Hack","type":"news_article","url":"https://cointelegraph.com/news/defi-protocol-carrot-becomes-first-casualty-of-285m-drift-exploit"},{"credibility":2,"name":"CryptoTimes – Carrot Becomes First DeFi Casualty of $285M Drift Exploit","type":"news_article","url":"https://www.cryptotimes.io/2026/05/01/carrot-becomes-first-defi-casualty-of-285m-drift-exploit/"},{"credibility":2,"name":"Bitcoin.com News – Solana Yield Protocol Carrot Shuts Down After Drift Exploit Drains $8M in TVL","type":"news_article","url":"https://news.bitcoin.com/solana-yield-protocol-carrot-shuts-down-after-drift-exploit-drains-8m-in-tvl/"}]}],"sources_used":[{"credibility":2,"name":"CoinTelegraph – Carrot's TVL Collapses 93% in a Month Following Drift Hack","type":"news_article","url":"https://cointelegraph.com/news/defi-protocol-carrot-becomes-first-casualty-of-285m-drift-exploit"},{"credibility":2,"name":"CryptoTimes – Carrot Becomes First DeFi Casualty of $285M Drift Exploit, Shuts Down 30 Days After Hack","type":"news_article","url":"https://www.cryptotimes.io/2026/05/01/carrot-becomes-first-defi-casualty-of-285m-drift-exploit/"},{"credibility":2,"name":"Bitcoin.com News – Solana Yield Protocol Carrot Shuts Down After Drift Exploit Drains $8M in TVL","type":"news_article","url":"https://news.bitcoin.com/solana-yield-protocol-carrot-shuts-down-after-drift-exploit-drains-8m-in-tvl/"},{"credibility":1,"name":"Bloomberg – Drift DeFi Project on Solana Suffers $285 Million Crypto Exploit","type":"news_article","url":"https://www.bloomberg.com/news/articles/2026-04-01/solana-based-defi-project-drift-hit-by-285-million-exploit"},{"credibility":1,"name":"Chainalysis – Lessons from the Drift Hack","type":"research","url":"https://www.chainalysis.com/blog/lessons-from-the-drift-hack/"},{"credibility":1,"name":"TRM Labs – North Korean Hackers Attack Drift Protocol in $285 Million Heist","type":"research","url":"https://www.trmlabs.com/resources/blog/north-korean-hackers-attack-drift-protocol-in-285-million-heist"},{"credibility":1,"name":"Elliptic – Drift Protocol Exploited for $286 Million in Suspected DPRK-Linked Attack","type":"research","url":"https://www.elliptic.co/blog/drift-protocol-exploited-for-286-million-in-suspected-dprk-linked-attack"},{"credibility":2,"name":"CoinDesk – North Korean Hackers Likely Behind the $286 Million Drift Protocol Exploit","type":"news_article","url":"https://www.coindesk.com/business/2026/04/02/north-koreans-hackers-likely-behind-the-usd286-million-drift-protocol-exploit-elliptic"},{"credibility":2,"name":"The Hacker News – $285 Million Drift Hack Traced to Six-Month DPRK Social Engineering Operation","type":"news_article","url":"https://thehackernews.com/2026/04/285-million-drift-hack-traced-to-six.html"},{"credibility":2,"name":"Crypto.news – Carrot Protocol to Shut Down After Drift Breach Wipes Out TVL","type":"news_article","url":"https://crypto.news/carrot-protocol-to-shut-down-after-drift-breach-wipes-out-tvl/"},{"credibility":2,"name":"CoinLaw – Solana DeFi Protocol Carrot Shuts Down After Drift Exploit Fallout","type":"news_article","url":"https://coinlaw.io/solana-defi-carrot-shutdown-drift-exploit/"},{"credibility":2,"name":"KuCoin News Flash – 11 DeFi Protocols Affected by Drift Vulnerability, Partial Functions Suspended","type":"news_article","url":"https://www.kucoin.com/news/flash/11-defi-protocols-affected-by-drift-vulnerability-partial-functions-suspended"},{"credibility":2,"name":"KuCoin – Carrot Shuts Down After Drift Exploit Causes 90% TVL Drop","type":"news_article","url":"https://www.kucoin.com/news/flash/carrot-shuts-down-after-drift-exploit-causes-90-tvl-drop"},{"credibility":2,"name":"Tekedia – 12 Protocols on Solana Currently Impacted by the Drift Protocol Hack","type":"news_article","url":"https://www.tekedia.com/12-protocols-on-solana-currently-impacted-by-the-drift-protocol-hack/"},{"credibility":2,"name":"FinanceFeeds – Carrot DeFi Platform Emerges as First Victim of $285M Drift Hack","type":"news_article","url":"https://financefeeds.com/carrot-defi-platform-emerges-as-first-victim/"},{"credibility":2,"name":"MoneyCheck – Carrot DeFi Protocol Announces Permanent Closure Following Drift Security Breach","type":"news_article","url":"https://moneycheck.com/carrot-defi-protocol-announces-permanent-closure-following-drift-security-breach"},{"credibility":2,"name":"Carrot Protocol – DefiLlama TVL Dashboard","type":"on_chain","url":"https://defillama.com/protocol/carrot"},{"credibility":2,"name":"Carrot Protocol Official Documentation","type":"official","url":"https://docs.deficarrot.com/"},{"credibility":3,"name":"ainvest – Solana Yield Protocol Carrot Shuts Down Following $285M Drift Exploit","type":"news_article","url":"https://www.ainvest.com/news/solana-yield-protocol-carrot-shuts-285m-drift-exploit-2605/"},{"credibility":2,"name":"CCN – Drift Protocol Hit by $285M Exploit: Crypto's Biggest Hack of 2026 Unfolds on April Fool's Day","type":"news_article","url":"https://www.ccn.com/news/crypto/drift-protocol-285m-biggest-hack-2026-april-fools-day/"}],"summary":"Carrot Protocol (also known as DeFi Carrot) was a Solana-based DeFi yield hub offering leveraged yield farming, managed leverage tokens, and a yield-bearing stablecoin receipt token (CRT). On April 30, 2026, the protocol announced a permanent shutdown after its total value locked collapsed 93% — from approximately $28 million to under $2 million — as a downstream casualty of the $285 million Drift Protocol exploit on April 1, 2026. Carrot was not directly hacked; its failure resulted from deep liquidity dependencies on Drift's infrastructure, making it the first confirmed DeFi protocol to shut down as a result of the Drift exploit contagion.","timeline":[{"date":"2025-10-01","event":"Social engineering campaign targeting Drift Protocol contributors begins; threat actors posing as a quantitative trading firm begin building relationships with Drift team members","source":"Chainalysis – Lessons from the Drift Hack","source_url":"https://www.chainalysis.com/blog/lessons-from-the-drift-hack/"},{"date":"2026-03-11","event":"Attackers withdraw staging funds from Tornado Cash to begin funding infrastructure","source":"TRM Labs – North Korean Hackers Attack Drift Protocol","source_url":"https://www.trmlabs.com/resources/blog/north-korean-hackers-attack-drift-protocol-in-285-million-heist"},{"date":"2026-03-12","event":"Attackers create fabricated CarbonVote Token (CVT) with controlled supply and deploy wash trading to anchor its price at approximately $1","source":"Chainalysis – Lessons from the Drift Hack","source_url":"https://www.chainalysis.com/blog/lessons-from-the-drift-hack/"},{"date":"2026-03-23","event":"Attackers begin creating Solana durable nonce accounts and manipulating Drift Security Council members into pre-signing dormant admin transfer transactions","source":"TRM Labs – North Korean Hackers Attack Drift Protocol","source_url":"https://www.trmlabs.com/resources/blog/north-korean-hackers-attack-drift-protocol-in-285-million-heist"},{"date":"2026-03-26","event":"Drift Protocol migrates to a 2-of-5 Security Council multisig configuration with zero timelock, eliminating the detection and intervention window","source":"Chainalysis – Lessons from the Drift Hack","source_url":"https://www.chainalysis.com/blog/lessons-from-the-drift-hack/"},{"date":"2026-04-01","event":"Drift Protocol exploit executed: admin control transferred to attacker-controlled addresses at approximately 16:05 UTC; $285 million drained across 31 transactions in approximately 12 minutes; stolen assets bridged to Ethereum within hours","source":"Bloomberg – Drift DeFi Project on Solana Suffers $285 Million Crypto Exploit","source_url":"https://www.bloomberg.com/news/articles/2026-04-01/solana-based-defi-project-drift-hit-by-285-million-exploit"},{"date":"2026-04-01","event":"Carrot Protocol suspends CRT minting and redemption in immediate response to Drift exploit; CRT snapshot taken at 20:00 UTC for future IOU token entitlement","source":"KuCoin News Flash – 11 DeFi Protocols Affected by Drift Vulnerability","source_url":"https://www.kucoin.com/news/flash/11-defi-protocols-affected-by-drift-vulnerability-partial-functions-suspended"},{"date":"2026-04-02","event":"Drift Protocol publicly confirms exploit; Carrot publicly confirms losses with CRT holders facing an estimated 50% loss; Elliptic flags DPRK-linked indicators","source":"CryptoTimes – Carrot Becomes First DeFi Casualty of $285M Drift Exploit","source_url":"https://www.cryptotimes.io/2026/05/01/carrot-becomes-first-defi-casualty-of-285m-drift-exploit/"},{"date":"2026-04-05","event":"Drift Protocol states with medium-high confidence that the attack matches the profile of UNC4736, a North Korean state-affiliated hacking group previously attributed to the October 2024 Radiant Capital hack","source":"Elliptic – Drift Protocol Exploited for $286 Million in Suspected DPRK-Linked Attack","source_url":"https://www.elliptic.co/blog/drift-protocol-exploited-for-286-million-in-suspected-dprk-linked-attack"},{"date":"2026-04-30","event":"Carrot Protocol announces permanent shutdown; team states the Drift exploit 'has proven to be catastrophic for our continued operations'; Carrot becomes the first DeFi protocol to shut down permanently as a result of the Drift contagion","source":"CoinTelegraph – Carrot's TVL Collapses 93% in a Month Following Drift Hack","source_url":"https://cointelegraph.com/news/defi-protocol-carrot-becomes-first-casualty-of-285m-drift-exploit"},{"date":"2026-05-01","event":"Shutdown announcement widely reported; Carrot's TVL confirmed at approximately $1.99 million, down 93% from $28 million on April 1","source":"CryptoTimes – Carrot Becomes First DeFi Casualty of $285M Drift Exploit","source_url":"https://www.cryptotimes.io/2026/05/01/carrot-becomes-first-defi-casualty-of-285m-drift-exploit/"},{"date":"2026-05-14","event":"Final voluntary withdrawal deadline for Carrot users across Boost, Turbo, and CRT products; after this date forced deleveraging to 1x leverage begins","source":"Bitcoin.com News – Solana Yield Protocol Carrot Shuts Down After Drift Exploit Drains $8M in TVL","source_url":"https://news.bitcoin.com/solana-yield-protocol-carrot-shuts-down-after-drift-exploit-drains-8m-in-tvl/"}]},"v":1}
Verify offline (run on your own machine)
python -m src.verify_decision 4e2fc075-7f09-4107-8721-f49de9164a49

How verification works. The “Row integrity” check above is computed in your browser — your machine recomputes the SHA-256 of the canonical bytes and compares against the stored hash. No avoid.net server can fake that check. The “full verify” link goes one level deeper: your browser fetches the on-chain transaction from a Solana RPC node and confirms the same hash is in the memo. If you don’t want to trust either avoid.net or the public RPC, run the CLI verifier on your own machine — python -m src.verify_decision <event_id>.