Carrot, a DeFi yield protocol based on Solana, announced its permanent closure on April 30, 2026, after losing approximately $8 million in total value locked, or approximately half of its TVL – due to the fallout from the April 1 Drift protocol exploit that drained approximately $285 million from one of Solana’s largest perpetual futures platforms.
Carrot was not directly hacked. It was removed by a protocol it depended on, and that distinction is what makes this story more than a summary of a routine exploit.
Users have until May 14, 2026 to voluntarily withdraw funds from Carrot’s three main products. After this deadline, the team will begin to forcibly reduce all remaining positions to 1x leverage, freeing up liquidity for final CRT stablecoin redemptions.
The official Carrot account on
A snapshot of CRT token holdings was taken at 20:00 UTC on April 1, at the exact time of the Drift exploit, to preserve proportional claims for any future Drift recovery distributions paid via the IOU token.
1/ Carrot stops
This is certainly not the outcome we wanted, but the situation with the Drift exploit turned out to be catastrophic for our continued operations.
– Carrot (@DeFiCarrot) April 30, 2026
The detail that most headlines miss is that Carrot never had a vulnerability in its own code. Its Boost and Turbo products routed user funds through vaults built into Drift, meaning that Drift’s security was also Carrot’s, whether Carrot users knew it or not.
DISCOVER: The Next 1000x Crypto Gem Ahead of Its Listing on Binance
How did the Drift Protocol exploit actually work?
The Drift exploit, which the Drift Protocol confirmed occurred around 8:00 p.m. UTC on April 1, used what investigators described as a new, durable, casual exploit, a technique that manipulates how Solana handles the signing of pre-authorized transactions to compromise administrative controls.
The attackers, believed to have ties to North Korean state-sponsored groups, spent about three weeks planning the attack before carrying it out. More than 50% of Drift’s TVL was depleted within minutes, triggering an immediate suspension of deposits and withdrawals on the platform.
Carrot held significant exposure via Drift-integrated vaults and liquidity positions. Shortly after the exploit, the team suspended all strike and redemption functions while assessing the damage.
As of mid-April, Carrot’s CRT NAV had been adjusted to between approximately $57.52 and $57.58 per token, reflecting both realized and unrealized losses. The Drift hack is now the largest DeFi exploit of 2026 and the second largest in Solana history – a data point that currently matters to anyone assessing the health of the broader Solana ecosystem.
Carrot operated for more than two years before this shutdown, creating what it described as a “yield operating system” for Solana. No handling fees apply during the liquidation period and the team has confirmed that deposited funds remain the legal property of users throughout the process.
EXPLORE: Best Crypto Presales to Watch
The post Solana Yield Protocol’s Carrot Stops After $8M Exploit appeared first on 99Bitcoins.
