Carrot, a Solana-based DeFi yield protocol, has announced that it is shutting down after suffering major damage from the April 1 exploit on Drift Protocol. The incident, which drained roughly $285 million from Drift within minutes, has become one of the biggest DeFi security failures of 2026 and one of the most severe exploits in Solana’s history. For Carrot, the fallout proved too significant to continue operating.
The protocol said the Drift attack directly impaired vaults, liquidity positions, and yield strategies tied to its product stack. Because Carrot had meaningful integration with Drift, the exploit quickly translated into losses across its own balance sheet and user-facing products. Estimates cited in post-incident assessments indicated that roughly 50% of Carrot’s total value locked was exposed, with some analyses placing losses at more than $8 million.
Users Face a May 14 Withdrawal Deadline
Carrot has asked users to withdraw funds from its three core offerings—Boost, Turbo, and CRT—by May 14, 2026. After that date, the team plans to unwind all remaining leveraged positions down to 1x exposure, a process designed to free liquidity and support CRT redemptions during the shutdown.
According to the team, users’ deposited assets remain their property throughout the wind-down. Carrot also said that the deleveraging process itself should not change net value, though it will reduce open leverage and simplify remaining positions as the platform exits the market.
The decision was formally confirmed in a final thread published on X on April 30. In that statement, the team said the Drift exploit had turned into a catastrophic event for the protocol’s continued operations. The wording underscored that this was not a strategic pivot or voluntary sunset, but a shutdown driven by direct losses and the broader collapse in operating viability following the attack.
How the Drift Exploit Damaged Carrot
Drift was attacked at around 20:00 UTC on April 1. The exploit reportedly used a novel durable nonce technique to compromise administrative controls. More than 50% of Drift’s TVL was drained, prompting an immediate suspension of deposits and withdrawals on the affected platform. Reports cited in the source material said attackers were suspected to have links to North Korean state-backed groups, although no new attribution details were provided by Carrot itself.
Carrot moved quickly after the exploit, pausing minting and redemption while it assessed the scope of the damage. By mid-April, the protocol had revised the net asset value of its CRT token to approximately $57.52 to $57.58 per token, reflecting both realized and unrealized losses connected to the Drift event. As the month progressed, Carrot’s TVL fell sharply, and the protocol continued to operate only in a limited capacity.
Throughout that period, the team posted updates through X and Discord, seeking to provide users with status reports and preserve claims tied to any eventual Drift recovery process. In the end, however, the scale of the impairment and the protocol’s dependency on Drift-linked strategies made recovery impractical.
Recovery Rights Preserved Through CRT Snapshot
One of the most important details for users is Carrot’s handling of potential future reimbursement from Drift. The team said it took a snapshot of CRT holdings at 20:00 UTC on April 1, 2026. That record will be used to determine how any future Drift recovery distributions are allocated to affected users.
Those distributions are expected to come in the form of an IOU token at an undisclosed future date. Carrot said the eventual payout, if and when it occurs, will be made on a proportional basis according to the April 1 snapshot. Importantly, the team stated that users who redeem their CRT after the snapshot will still retain their right to any future recovery tied to that recorded balance.
This structure is meant to separate the shutdown and redemption process from the preservation of recovery claims. In practical terms, it allows users to exit Carrot’s products during the wind-down without forfeiting the right to compensation that may later be distributed through the Drift recovery framework.
What Boost, Turbo, and CRT Actually Did
Carrot’s product suite was built around automated yield and leverage tools for the Solana ecosystem. Boost allowed users to deposit yield-bearing collateral such as JLP, FLP, or ONyc and select a target leverage level, with the protocol automating looping and borrowing strategies to amplify returns. Turbo offered managed leveraged token exposure to assets including SOL, BTC, and GOLD, maintaining leverage dynamically on behalf of users.
CRT functioned as a yield-bearing stablecoin product. Users could deposit USDC, USDT, or PYUSD, with no lockup requirements and no management fees. In the shutdown notice, Carrot said there would be no management fees during the wind-down period, a measure likely intended to reduce additional friction for users trying to exit affected positions.
The protocol described itself as a “yield operating system” for Solana and had operated for more than two years. Its shutdown therefore marks not only the failure of a single product, but also the unwinding of a broader attempt to package leverage, liquidity access, and automated yield optimization into a unified user experience.
Broader Solana DeFi Contagion
The impact of the Drift exploit was not limited to one platform. The source material notes that the hack rippled through roughly 15 to 20 interconnected Solana protocols that depended on Drift for liquidity, vault infrastructure, or yield strategies. Carrot was among the hardest hit because of how deeply it was integrated into that stack.
This kind of secondary damage highlights a recurring risk in DeFi: composability can accelerate innovation, but it can also magnify losses when a core protocol fails. In Carrot’s case, the value proposition of automated yield generation and leveraged products depended on the reliability of a major underlying venue. Once that venue was compromised, the shock moved quickly across dependent strategies and balance sheets.
For users, the immediate priority is operational rather than theoretical. Carrot has advised participants to verify balances and transaction histories using Solana block explorers and to continue monitoring its official X and Discord channels for final instructions, updates on the wind-down, and any new timeline related to Drift recovery distributions.
With the protocol now entering its final phase, the shutdown stands as another reminder that in interconnected DeFi markets, upstream exploits can become existential events for downstream products—even when those products are not the original target of the attack.

