Carrot, a Solana-based DeFi yield protocol, announced its permanent closure on April 30, 2026, after losing approximately $8 million in total value locked, roughly half of its TVL, due to the fallout from the April 1 Drift Protocol Exploitation that drained approximately $285 million from one of Solana’s largest perpetual futures platforms.
Carrot was not hacked directly. He was eliminated by a protocol he depended on, and that distinction is what makes this story more than a routine exploitation recap.
Users have until May 14, 2026 to voluntarily withdraw funds from Carrot’s three main products. After that deadline, the team will begin forcing deleveraging of all remaining positions to 1x leverage, freeing up liquidity for final CRT stablecoin swaps.
Carrot’s official account on
A snapshot of CRT token holdings was taken at 20:00 UTC on April 1, the exact time of the Drift exploit, to preserve proportional claims for any future Drift recovery distributions paid via the IOU token.
1/ Carrot is closing
This is certainly not the outcome we wanted, but the situation with the Drift exploit has proven to be catastrophic for the continuity of our operations.
– Carrot (@DeFiCarrot) April 30, 2026
The detail missing from most headlines is that Carrot never had a vulnerability in its own code. Its Boost and Turbo products routed user funds through vaults built into Drift, meaning Drift’s security was also Carrot’s security, whether Carrot users knew it or not.
DISCOVER: The Next Crypto Gem 1000x Before It Lists On Binance
How did the Drift protocol exploit actually work?
The Drift exploit, which Drift Protocol confirmed occurred at approximately 20:00 UTC on April 1, used what researchers have described as a novel durable nonce exploit, a technique that manipulates how Solana handles the signing of pre-authorized transactions to compromise administrative controls.
The attackers, suspected of having ties to North Korean state-sponsored groups, spent approximately three weeks preparing the attack before carrying it out. Over 50% of Drift’s TVL was depleted within minutes, causing an immediate suspension of deposits and withdrawals across the platform.
Carrot maintained significant exposure through Drift-integrated vaults and liquidity positions. Shortly after the exploit, the team stopped all minting and redemption functions while assessing the damage.
As of mid-April, Carrot’s CRT net asset value had adjusted to approximately $57.52 to $57.58 per token, reflecting both realized and unrealized losses. The Drift hack is now the largest DeFi exploit of 2026 and the second largest in Solana history, a fact that is important to anyone assessing the health of the broader Solana ecosystem right now.
Carrot operated for more than two years before this closure, building what it described as a “performance operating system” for Solana. There are no handling fees applied during the settlement period and the team has confirmed that the deposited funds remain the legal property of the users throughout the process.
EXPLORE: The best cryptocurrency pre-sales to watch
Why you can trust 99Bitcoins
Established in 2013, 99Bitcoin team members have been crypto experts since the early days of Bitcoin.
90 hours+
Weekly Research
100k+
Monthly readers
50+
Expert collaborators
2000+
Crypto Projects Reviewed
Follow 99Bitcoins on your Google News Feed
Get the latest updates, trends and insights right at your fingertips. Subscribe now!
Subscribe now 
