Big conclusion from Accelerate: All assets - equities, bonds, money markets, cryptoassets - will eventually be traded and settled in their most capital-efficient form. And that's going to be onchain, on @solana.

A common question we're getting on the Drift relaunch is: why is it taking so long? Why do you even need a 'relaunch' when it was already live? One of the biggest decisions early on was: new program or reuse the old one? We decided to launch with an entirely new program/program ID. Why? 1. The existing program's state was in limbo after the hack. It didn't fully resolve the liquidations because the exploiter's collateral was never marked to 0. We wouldn't want to muddy that state, because it is needed to snapshot what everyone is owed. 2. Security is not something you can just strap on - it takes thoughtful design from the outset. Adding extra security means making breaking changes to on-chain state. Making these changes while providing a migration path for existing state is 10x harder. An analogy - code is like a Jenga tower. Security is at the bottom of the tower. It is very hard to change the blocks at the bottom without toppling the tower. If the code is not in production, though, you can simply put the top part of the tower off to the side and fix the bottom. Next. Why is it taking so long? Part of making a program more secure is lowering the attack surface. Over the years, Drift developers were forced to make less-than-ideal design decisions in order to not change existing code in a non backwards compatible way. In tech circles, we call this accumulating 'tech debt'. Now that the program needs to be completely re-audited from scratch, that debt not only adds heaps of time and cost to the audit schedule, it also increases the attack surface and makes the code hard to reason about. Is this a complete rewrite? No. That would take far too long, and would be unproductive as it would lose all of the hard-fought lessons built into the existing code. Think of it more as mowing the lawn. It's overgrown, and there are weeds everywhere. I'm whacking the legacy problem sections I can find, and trying to make the code easier to audit. I'm not going to catch everything, or have time to fix all tech debt, but I'm fixing all of the top offenders. I'll share more in later tweets of specific changes I've been making, as I want to be as transparent as possible.

While it's been an epic few years at Helium, I couldn't resist the call of another migration-level challenge. Those of you who know me know I can't resist chewing some glass. As such, I am going to join @DriftProtocol team and help them relaunch. Why? Because I genuinely believe that Drift provides a valuable set of primitives to the ecosystem and is worth saving. This is also the best path to funding user recovery; we must build something so useful it can generate the revenue needed for the recovery pool. Tall order. The landscape has shifted. Trust is eroded. Things that are worthwhile are rarely easy, and this is no exception. I fully acknowledge I could be applying for a job at Wendy’s in 6 months. Everyone has forks in the road in their careers, easier paths vs harder paths. I have chosen the harder path at every turn; and it has paid off. Not every swing hits, but even in failure you massively level up your skillset. My focus is on improving the security stance of Drift, getting it relaunched, then turning it into the best perps exchange in existence: First, that means working with STRIDE to ensure we're following the best multisig and opsec practices. I won’t be taking this endeavor alone, the chads at @asymmetric_re and @osec_io have been incredibly helpful and continue to be deeply involved in auditing both new code and new operational practices. Security does not come from one individual, it comes from cultivating a culture of security and having outside professionals continuously verify that work. Second, I am overhauling the codebase (within reason). Over the years it has picked up a large set of features, many of which no longer need to be used. The protocol has solid bones, but tight coupling has led to a buildup of tech debt that is easier to fix during this downtime. Third, I want to build multiple levels of security and circuit breakers into the protocol. DeFi protocols must be structured to limit the ability of a single incident or contagion to create havoc. I will be thinking from the perspective of defense-in-depth; there should be layers of protection to prevent incidents like the April 1st hack. The program should reject suspicious changes even if they come from an operational multisig. Lastly, and more long term, I want Drift to become the most compelling perps exchange on the market. I am very much looking forward to entering the arena that is perps on Solana. It is an honor to be competing with the chads on all the other teams (Phoenix, Bulk, Gm, Imperial, Pacifica, etc). Steel sharpens steel, and I eagerly await the firehose of knowledge over these next few months. Solana needs as many shots on goal as it can get. One (or many) of us will win.

Today we published a protocol update, providing the latest on where we are on relaunch and a path to user recovery. Excited to announce that @redacted_noah, one of Solana’s top smart contract engineers, will be joining Drift as Head of Protocol and previous members of the @gauntlet_xyz team contributing their risk expertise are meaningful additions as we gear up to bring the platform back online. Drift will relaunch as the largest USDT-based perps exchange on Solana, with a focus on scalable security and performance. We know our users are still carrying real losses, and that has not left our focus for a moment. We are committed to building Drift into the platform this ecosystem deserves and drive full user recovery. Relaunch is where that work begins in earnest. Full update: drift.trade/updates/drift-re…

Today marks a new chapter for @DriftProtocol x @tether, built on resilience and trust. We will be coming back stronger than ever, and giving our 110% every time.

❤️🙏

Tether Leads Support to the $150M Drift Recovery Plan, Stabilizes Relaunch as Drift Plans to Expand USD₮ Usage on Solana Read more: tether.io/news/tether-leads-…

After April 1, we put our heads down and committed to making this right for our users and partners. Today, we're announcing a collaboration with @tether and other partners, through which they are proposed to contribute up to $147.5 million combined to support user recovery and facilitate the Drift Protocol relaunch. The collaboration is structured around a clear, revenue-driven recovery mechanism designed to prioritize users from day one through a revenue-linked credit facility, an ecosystem grant, and loans to market-makers. During the initial phase of the collaboration, a substantial portion of exchange revenue, together with committed support capital, is intended to fund a dedicated user recovery pool. The willingness of @paoloardoino, Tether and our partners to commit real capital to Drift’s recovery says something about the strength of what we've built and what we're building next, as well as our shared vision to scale the Solana DeFi ecosystem together. We are committed to continuing to provide transparency rooted in accountability as we build Drift back stronger in the coming months, and have outlined initial steps towards relaunch and user recovery in this Incident Recovery Update: drift.trade/updates/incident… Full details from @DriftProtocol: businesswire.com/news/home/2…

Today, Drift is announcing a collaboration with @tether and other partners totaling up to nearly $150 million to support our commitment to a relaunch with USDT at the center, and a path to user recovery. These funds encompass a $100M revenue-linked credit facility, an ecosystem grant, and loans to market makers, designed to fund a dedicated user recovery pool. Learn more 👇

Drift is actively working with @asymmetric_re, and @osec_io to consolidate a coordinated recovery plan. Our immediate focus is to stabilize the situation and provide protocol-level assurance to all affected users and partners. Drift will also be participating in the STRIDE program by @SolanaFndn as part of strengthening our long-term security posture. We’re aligning closely with leading ecosystem security teams to ensure a structured and thoughtful path forward. Further updates will be shared soon.

This wasn’t just a hack It may have been a 6-month infiltration Drift just shared its preliminary reconstruction of how the April 1 exploit was staged 👇 • Attackers posed as a legit quant trading firm • Built trust with contributors across multiple conferences • Spent months discussing strategies and integrations • Deposited $1M to establish credibility • Possible vectors included a malicious repo and a TestFlight app • One possible repo-based vector involved a VSCode/Cursor vuln • Chats and malware were scrubbed right after the exploit Attribution points to a state-level operation (DPRK-linked) with high resources and coordination This is no longer “smart contract risk” It’s human operational security How do you defend against something like this? 🤔

TLDR on @DriftProtocol hack👇🏻 > 6-month social engineering op > fake quant firm met contributors at conferences > built trust telegram group over months > onboarded $1M vault with real capital > shared "tools" & repos during integration talks > one dev cloned malicious repo → opened in VSCode (silent exploit) > another installed fake TestFlight "wallet" app > malware hit signer devices → compromised multisig approvals > april 1: drained ~$285M in minutes SICKKKKK

If this preliminary report is correct, this is an incredibly sophisticated attack. Most protocols are not thinking about security in this way.

Terrifying

I’ll add: Just like the Radiant case…. As well as Bybit and WazirX…. And the $20m Venus whale…. They have gotten very good at tricking people into signing what they want without them ever noticing.

absolute madness only antisocial teams who think everyone and everything is a scam are safe

The more US victims impacted by Drift’s hack, the more energy and resources the FBI can expend on working the case. File a report with ic3.gov

I beg everyone in crypto to read this in full. I expected this to be another case of social engineering, likely some recruiter/job offer shit. I was very wrong. And the depth of the operation and personas makes me think they already have multiple other teams on lock. 😳

pretty crazy if true tl:dr - hackers casually gained trust via irl conference meet, setup tg channel and became a customer, started building integrations over 6 months and then got one person with a testflight link to show off what they built