Carrot DeFi Platform Shuts Down as First Victim of Drift's $285M Security Breach
The protocol has experienced a devastating 93% drop in total value locked over the past month, declining from $28 million to just $1.99 million, rendering it financially insolvent.
On Thursday, Carrot, a yield-generating decentralized finance protocol built on Solana, announced its permanent closure, marking itself as among the earliest DeFi platforms to collapse from the ripple effects of the Drift Protocol security breach that occurred in early April.
Through a Thursday announcement on X, Carrot described the Drift security breach as having "catastrophic" consequences for its operations, rendering the platform financially incapable of maintaining its services. The protocol has established May 14 as the final date for users to retrieve their remaining assets. Carrot stated it will maintain its involvement in recovery initiatives connected to Drift and will distribute recovered assets when they become accessible.
We are setting May 14th as the deadline to withdraw any remaining funds from Boost, Turbo, and CRT before we will then begin to deleverage the system. Your deposited funds are still yours, but all leverage will be reduced to zero, freeing up all liquidity for CRT redemption.
The security breach that hit the Drift protocol on April 1 stands as 2026's second-most devastating exploit. The incident represented a meticulously orchestrated assault that required several months of social engineering tactics by a collective of hackers who successfully obtained administrative access and extracted over half of the protocol's total value locked.
Multiple associated projects experienced secondary damage, including the yield generation protocol Gauntlet, the lending and borrowing service PrimeFi and the cryptocurrency investment fund Elemental DeFi.
Carrot had established deep integration with Drift's underlying infrastructure and relied on its liquidity pools to create yield opportunities for its user base. The protocol's TVL experienced a dramatic collapse following the Drift Protocol security incident.
Information from DefiLlama indicates that Carrot's total value locked stood at approximately $28 million prior to the Drift security breach, and presently sits at $1.99 million, representing a decline of approximately 93%.
Additional data from DefiLlama reveals that approximately $630 million in digital assets were compromised during April through 25 separate incidents, establishing it as the month with the most substantial losses since February 2025, during which $1.47 billion was taken.
The $293 million security breach targeting liquid staking protocol Kelp represents the most significant exploit of 2026 to date. Following closely is the Drift breach at $285 million. Combined, these two incidents represent over 90% of the total cryptocurrency stolen throughout April.