Solana DeFi Protocol Carrot Shuts Down After Drift Exploit Fallout

A Solana based DeFi protocol Carrot has announced it will shut down operations after suffering severe losses linked to the recent Drift exploit.

Key Takeaways

• Carrot is shutting down after losses tied to the Drift Protocol exploit, one of the largest DeFi hacks of 2026.
• Users have until May 14, 2026, to withdraw funds from Boost, Turbo, and CRT products.
• The protocol saw TVL collapse from about $28 million to nearly $2 million following the incident.
• Any future recovery from Drift will be distributed proportionally based on a snapshot taken on April 1.

What Happened?

Carrot, a Solana-based DeFi yield protocol, confirmed it will cease operations after the fallout from the Drift exploit made continued functioning unsustainable. The team described the situation as catastrophic and began a structured wind down of the platform. Users are now being given a deadline to withdraw their funds before forced deleveraging begins.

1/ Carrot is shutting down

This is certainly not the outcome we wanted, but the situation with the Drift exploit, has proven to be catastrophic for our continued operations.

— Carrot (@DeFiCarrot) April 30, 2026

Drift Exploit Triggers Chain Reaction Across DeFi

The shutdown traces back to the April 1 exploit on Drift Protocol, which resulted in an estimated $285 million loss within minutes. The attack, reportedly using a durable nonce vulnerability to gain administrative control, drained more than half of Drift’s total value locked.

While Carrot itself was not directly hacked, its deep integration with Drift-based vaults and liquidity strategies exposed it to heavy losses. This indirect impact proved devastating.

• Around 50 percent of Carrot’s TVL was at risk following the exploit.
• Estimated losses exceeded $8 million.
• The exploit affected 15 to 20 interconnected Solana protocols, highlighting systemic risk.

The incident is now considered one of the largest DeFi exploits of 2026 and a major stress test for the Solana ecosystem.

TVL Collapse Reflects Severity of Impact

The damage quickly showed in Carrot’s liquidity.

On April 1, the protocol held roughly $28 million in total value locked. In the weeks that followed, that figure dropped sharply to around $2 million, marking a decline of more than 90 percent.

This steep fall was driven by a mix of user withdrawals, forced unwinding of positions, and reduced confidence in the platform’s recovery prospects.

At the same time, Carrot adjusted the net asset value of its CRT token to reflect both realized and unrealized losses, with estimates placing it in the $57.52 to $57.58 range during mid April updates.

Don't chase the news. Let us curate it.

You get one weekly briefing with only the stories that matter. If the market is quiet, we skip it.

Email address

Get the Weekly Briefing - it's free!

✅ Join readers from Visa, Vanguard, and the FDIC.

Users Given Deadline to Withdraw Funds

Carrot has set May 14, 2026, as the final date for users to withdraw funds from its core products:

• Boost, which offered leveraged yield strategies using deposited collateral.
• Turbo, which provided managed leveraged exposure to assets like SOL and BTC.
• CRT, a yield bearing stablecoin with no lockups or management fees.

After the deadline, the protocol will begin full deleveraging, reducing all positions to 1x leverage to free up liquidity for redemptions.

The team emphasized that user funds remain their property throughout the process. Even after withdrawals, users will still be eligible for any future recovery linked to Drift.

Recovery Plan and IOU Distribution

Carrot confirmed that any recovery from the Drift exploit will be distributed through a future IOU token, though no clear timeline has been provided.

Distribution will be based on a snapshot of CRT holdings taken on April 1, ensuring that user claims are preserved regardless of when they withdraw.

The protocol also stated that it will remain operational in a limited capacity to manage this recovery process and communicate updates.

From Stabilization Efforts to Shutdown Decision

In the days following the exploit, Carrot attempted to stabilize operations.

• Withdrawal restrictions were introduced in certain markets.
• Leverage levels were reduced across products.
• Assets were consolidated to support redemptions.

Despite these measures, the scale of losses and continued outflows made recovery unfeasible. The team ultimately concluded that shutting down was the only viable path forward.

DeFi Contagion Risk Comes Into Focus

Carrot’s collapse highlights a growing concern in decentralized finance, contagion risk.

Even though the protocol was not directly attacked, its reliance on another platform led to cascading losses. This type of second order failure is becoming more common as DeFi protocols grow increasingly interconnected.

The Drift exploit has exposed how vulnerabilities in one system can quickly spread across an entire ecosystem.

CoinLaw’s Takeaway

In my experience, this is a clear reminder that DeFi risk is not just about the protocol you use, but also the protocols it depends on. I found that many users often overlook these hidden dependencies, and events like this bring those risks into sharp focus.

What stands out to me is how fast things unraveled. A single exploit wiped out confidence, liquidity, and ultimately the future of a project that had been running for over two years. I believe this will push both developers and users to rethink how deeply interconnected DeFi systems should be.