Bug Report
Summary
A withdrawal transaction debited my Drift user account but transferred the USDC from the Drift vault to itself (source = destination), resulting in permanent loss of funds for the user.
Transaction Evidence
The Problem
The inner Token Transfer instruction in the withdrawal TX shows:
Source: GXWqPpjQpdz7KZw9p7f5PX2eGxHAhvpNXiviFkAB8zXg (Drift USDC Spot Vault)
Destination: GXWqPpjQpdz7KZw9p7f5PX2eGxHAhvpNXiviFkAB8zXg (Drift USDC Spot Vault)
Amount: 64998235
Both source and destination are the same address — the Drift USDC Spot Market Vault (JCNCMFXo5M5qwUPg2Utu1u6YWp3MbygxqBsBeXXJfrw authority).
Impact
- My Drift account was debited by 64.998235 USDC ✅
- The USDC was "transferred" from vault → vault (net change: 0 in vault balance) ✅
- USDC never arrived in my personal wallet ❌
- Account now shows ~$0 balance
Token Balance Changes (from TX)
Owner: JCNCMFXo5M5qwUPg2Utu1u6YWp3MbygxqBsBeXXJfrw (Vault)
Change: 62,924,993.306074 → 62,924,993.306074 (+0.000000 USDC)
The vault balance didn't change at all — the USDC is still there.
Context
- Used
@drift-labs/sdk to execute the withdrawal
- The withdrawal instruction was constructed with the vault's token account as both source AND destination
- This appears to be a bug in how the SDK constructs the withdrawal instruction when the user's USDC ATA doesn't exist or isn't passed correctly
Request
The USDC is still in the vault. Could you please:
- Investigate how this happened
- Re-credit 64.998235 USDC to my Drift account (
CzS42Ph5tK1B7r8u58Szvc52SCHcSB4gt4Fx9KFiLwCR)
- Fix the underlying bug to prevent this for other users
Environment
- SDK version: @drift-labs/sdk (latest at time of TX, Feb 2026)
- Network: Solana Mainnet
- RPC: Helius
Thank you for looking into this.
Bug Report
Summary
A withdrawal transaction debited my Drift user account but transferred the USDC from the Drift vault to itself (source = destination), resulting in permanent loss of funds for the user.
Transaction Evidence
2M5SkN3niSc9aecXvEPU4izbKhg923qAQZJtM9BcNbRcZJewSaTwkxZQwohKCjRaM7dRvYcMMK8guD4NSbKfLVeTDoUWiEkyk9WpzZDamtvv4UbuWmEoNuVUYJN3a7xnq1wuCzS42Ph5tK1B7r8u58Szvc52SCHcSB4gt4Fx9KFiLwCRThe Problem
The inner Token Transfer instruction in the withdrawal TX shows:
Both source and destination are the same address — the Drift USDC Spot Market Vault (
JCNCMFXo5M5qwUPg2Utu1u6YWp3MbygxqBsBeXXJfrwauthority).Impact
Token Balance Changes (from TX)
The vault balance didn't change at all — the USDC is still there.
Context
@drift-labs/sdkto execute the withdrawalRequest
The USDC is still in the vault. Could you please:
CzS42Ph5tK1B7r8u58Szvc52SCHcSB4gt4Fx9KFiLwCR)Environment
Thank you for looking into this.