Solana Yield Protocol Carrot Shuts Down After $8M Exploit
Carrot, a Solana-based DeFi yield protocol, announced its permanent shutdown on April 30, 2026, after losing approximately $8 million in total value locked, roughly half its TVL – to the fallout from the April 1 Drift Protocol exploit that drained an estimated $285 million from one of Solana’s largest perpetual futures platforms.
Carrot was not directly hacked. It was taken down by a protocol it depended o, and that distinction is what makes this story more than a routine exploit summary.
Users have until May 14, 2026, to voluntarily withdraw funds from Carrot’s three core products. After that deadline, the team will begin force-deleveraging all remaining positions to 1x leverage, freeing liquidity for final CRT stablecoin redemptions.
Carrot’s official account on X confirmed the decision plainly: “Carrot is shutting down. This is certainly not the outcome we wanted, but the situation with the Drift exploit has proven to be catastrophic for our continued operations.”
A snapshot of CRT token holdings was taken at 20:00 UTC on April 1, the exact moment of the Drift exploit, to preserve proportional claims for any future Drift recovery distributions paid via IOU token.
1/ Carrot is shutting down
This is certainly not the outcome we wanted, but the situation with the Drift exploit, has proven to be catastrophic for our continued operations.
— Carrot (@DeFiCarrot) April 30, 2026
The detail most headlines are missing is that Carrot never had a vulnerability in its own code. Its Boost and Turbo products routed user funds through Drift-integrated vaults, meaning Drift’s security was also Carrot’s security, whether Carrot’s users knew that or not.
DISCOVER: The Next 1000x Crypto Gem Before It Lists on Binance
How Did the Drift Protocol Exploit Actually Work?
The Drift exploit, which the Drift Protocol confirmed occurred at approximately 20:00 UTC on April 1, used what investigators have described as a novel durable nonce exploit, a technique that manipulates how Solana handles pre-authorized transaction signing to compromise administrative controls.
Attackers, suspected to have ties to North Korean state-sponsored groups, spent roughly three weeks preparing the attack before executing it. Over 50% of Drift’s TVL was drained in minutes, triggering an immediate suspension of deposits and withdrawals across the platform.
Carrot held significant exposure through Drift-integrated vaults and liquidity positions. Shortly after the exploit, the team paused all minting and redemption functions while assessing the damage.
By mid-April, Carrot’s CRT net asset value had been adjusted to approximately $57.52 to $57.58 per token, reflecting both realized and unrealized losses. The Drift hack is now the largest DeFi exploit of 2026 and the second-largest in Solana’s history – a data point that matters for anyone evaluating the health of the broader Solana ecosystem right now.
Carrot operated for more than two years before this shutdown, building what it described as a “yield operating system” for Solana. No management fees apply during the wind-down period, and the team has confirmed that deposited funds remain the legal property of users throughout the process.
EXPLORE: Best Crypto Presales to Watch
The post Solana Yield Protocol Carrot Shuts Down After $8M Exploit appeared first on 99Bitcoins.
