Carrot Shuts Down After $285M Drift Exploit: First DeFi Casualty

Carrot Becomes First DeFi Casualty of $285M Drift Exploit, Shuts Down 30 Days After Hack

Show AI Summary

Carrot’s shutdown results from its yield strategies being impaired by the Drift exploit.

The protocol relied on Drift for liquidity and yield, impacting its Boost, Turbo, and CRT products.

Carrot spent 30 days attempting to stabilize after the exploit before deeming operations non-viable.

Carrot, a yield protocol on Solana known as the “yield operating system” for the Solana DeFi ecosystem, is closing down. This makes it the first major project to fail following the security breach at Drift in April, and it clearly demonstrates how interconnectedness in DeFi can cause problems for projects that weren’t even directly involved in the initial attack.

As an analyst following the situation, I can confirm that the Carrot team has officially announced they’re shutting down. In a recent thread on X, they stated this wasn’t the result they hoped for, but the damage caused by the Drift exploit was simply too severe for them to continue operating.

We’re sadly announcing that Carrot is shutting down. Unfortunately, the recent Drift exploit created insurmountable challenges, making it impossible for us to continue operating.

— Carrot (@DeFiCarrot) April 30, 2026

What’s Being Wound Down

Carrot operated three core products that together formed an integrated yield stack on Solana:

Boost — A leveraged yield product that allowed users to deposit yield-bearing assets such as JLP (Jupiter Perps LP), FLP, or ONyc as collateral and choose a leverage level, with the protocol automatically looping and borrowing to amplify yields.
Turbo — Managed leveraged token exposure to assets including SOL, BTC, and GOLD, with dynamic leverage maintained automatically by the protocol.
CRT — Carrot’s native yield-bearing receipt token, which represented user deposits and accrued yield from the underlying strategies.

All three projects heavily used Drift Protocol, which was the biggest perpetuals exchange on Solana before it was hacked. When Drift lost its funds, Carrot’s investment methods and the value of CRT were immediately affected.

The 30-Day Timeline of Failed Stabilisation

Carrot didn’t shut down right away. After the issue started, the system tried for 30 days to fix things before deciding it couldn’t continue operating.

April 1 — The Drift exploit drains $285 million in 12 minutes, attributed to North Korea’s Lazarus Group by Elliptic and TRM Labs. Approximately 15-20 Solana protocols were affected; Carrot was directly exposed.
April 2 — Carrot publicly confirms losses tied to the Drift exploit. The team announces that, assuming no recovery of funds, CRT holders face an estimated ~50% loss. The protocol moves to restrict withdrawals in certain markets, reduce leverage, and consolidate assets to support redemptions.
April 1 to April 30 — Carrot’s TVL collapses from approximately $28 million to $2 million, per DeFiLlama data—a >90% decline in 30 days as users withdraw funds and positions are unwound. Liquidity steadily drains despite stabilization efforts.
April 30 — Carrot announces shutdown. May 14 is set as the final user-withdrawal deadline before force-deleveraging.

The Shutdown Mechanics

Users will have until May 14, 2026, to take their funds out of Boost, Turbo, and CRT voluntarily. After that date, the system will automatically reduce all leveraged positions to the lowest possible level, eliminating risk and making funds available for CRT redemptions.

The Carrot team explained in a follow-up message that while your money remains safe, any borrowed funds will be reset to zero. This will make all your available funds accessible for claiming your CRT tokens.

Importantly, we won’t charge management fees while Drift is being resolved. Any funds recovered from Drift will still be distributed to users proportionally, based on their CRT token holdings as of April 1st, using IOU tokens. Even if you redeem your CRT tokens later, you’ll still receive your share of any future Drift recovery funds. We don’t have a specific timeframe for when these distributions will happen, as the recovery process is still underway.

The Founder’s Closing Words

The Carrot team closed the thread with notably reflective language for a DeFi shutdown post:

As an analyst, I’ve been closely following Carrot’s journey for the last two years, and the team’s core goal has always been to simplify DeFi and open it up to a wider audience. They started with CRT, then expanded with Carrot Lend, incorporating features like Boost and Turbo. It’s definitely a difficult decision to wind things down, especially considering the significant time and resources everyone involved has invested in the project.

I want to express my sincere gratitude to everyone who has contributed to Carrot. Building trust requires consistent honesty, and a strong reputation is forged through difficult times. I believe we’ve consistently demonstrated those qualities throughout Carrot’s history, and continue to do so today.

As a researcher following the DeFi space, I found Carrot’s approach to their shutdown particularly noteworthy. Usually, when a DeFi project ends, they either disappear without a word or hide behind standard legal jargon. But Carrot’s team did something different – they publicly took responsibility for the failure. What’s even more interesting is that, according to their post-mortem analysis, the problem wasn’t with their *own* code or security. Instead, it stemmed from an exploit that happened on a different platform, impacting them as a downstream user.

Why Carrot Is the Test Case for Composability Risk

The collapse of Carrot highlights a key risk in how DeFi projects are built. The problem wasn’t a flaw in the code itself, but a sophisticated attack that tricked the people controlling Drift – a system they used – into approving a fake token. This allowed the attacker to steal $285 million worth of real assets very quickly, in just 12 minutes and 31 transactions.

In 2025, Carrot used Drift to improve how easily users could trade and earn rewards – a standard practice for Solana-based DeFi platforms at the time, as Drift was the leading perpetuals exchange. Unfortunately, Carrot’s systems couldn’t withstand a security issue with Drift. While the initial financial loss was around $8 million – a sum Carrot could have handled on its own – the resulting loss of user confidence and a massive wave of withdrawals (over 90%) ultimately forced the platform to shut down.

This situation mirrors wider worries about potential problems in the DeFi space in 2026. Earlier, an exploit of the Kelp DAO’s rsETH led to debts across Aave and Compound, prompting a large, coordinated rescue effort worth over $300 million. However, the recent issues with Drift have resulted in a different outcome – there’s been no central intervention or collaborative bailout. Instead, affected projects are shutting down one after another as their teams realize they can’t fix the problem.

What’s Next for the Drift Recovery

Drift Protocol, after receiving up to $147.5 million in support from Tether and others, is planning to relaunch. It will now use USDT instead of USDC for settlements. Users affected by the previous issues will receive a new token representing their recovered funds, though the exact timing of this distribution is still unknown. Because of this uncertainty, Carrot is carefully managing its closure to ensure users don’t lose their potential claims to Drift Protocol’s recovery funds, even after they’ve redeemed their CRT tokens.

Several other projects affected by the Drift exploit – like Pyra (which lost all its funds), Reflect Money, Ranger Finance, Piggybank (where the team covered $106K in losses), and Project0 – are each deciding if they will continue operating. Carrot’s decision to shut down has established a process for handling such situations: a 30-day period to try and stabilize things, a 14-day window for users to withdraw their funds, automatically reducing leveraged positions to the lowest risk level, and a commitment from the team to manage any future recovery of funds.

The closure of Carrot is a clear sign that the financial problems stemming from the Drift hack aren’t limited to the Drift platform itself, and are impacting the wider Solana DeFi space. April 2026 saw roughly $630 million lost across 25 separate incidents – the most losses in a single month since February 2025. The exploits of Kelp DAO and Drift were responsible for over 90% of these losses.

Before ending communication, Carrot shared a message that reflected the team’s disappointment with the loss: “Trust is built through reliable actions, and a strong reputation is forged during difficult times.” Now, all other projects affected by the Drift situation are being asked if they can prove they share those same values – or if they will also have to close down.

2026-05-01 15:04