Summary: A non-bug exploit on Solana let attackers drain at least $270 million from Drift Protocol by abusing a legitimate convenience feature — durable nonces — and social-engineering multisig signers into pre-approving transactions that were executed later under a different context.
What happened, in short
- This was not a traditional hack: no smart-contract vulnerability, private-key compromise, flash loan, or oracle manipulation was required.
- Instead the attacker exploited Solana’s durable nonce feature to create transactions that remain valid indefinitely, obtained two multisig approvals by tricking signers, then executed those pre-signed transactions weeks later to seize protocol-level control and drain funds in under a minute.
Why durable nonces matter
- Normally Solana transactions include a recent blockhash that expires in ~60–90 seconds, preventing replay of stale approvals.
- Durable nonces replace that expiring blockhash with a fixed on-chain nonce so signed transactions can remain valid until submitted — a useful feature for hardware wallets, offline signing, and institutional workflows.
- The downside: once a signer approves a durable-nonce transaction it can be executed at any future time unless the nonce account is advanced — something many users don’t monitor. That separation of approval and execution opened the door for abuse.
How the attacker used it
- Drift’s admin permissions were governed by a five-member Security Council multisig requiring two signatures.
- Drift says confirmations were obtained through “unauthorized or misrepresented transaction approvals,” meaning the two signers likely thought they were signing innocuous actions.
- Timeline published by Drift:
- March 23: Four durable nonce accounts created — two tied to legitimate council members, two controlled by the attacker. That locked in two valid signatures.
- March 27: Drift performed a planned Security Council migration (swapping a council member).
- March 30: A new durable nonce appeared tied to a member of the updated multisig; the attacker re-established the two-of-five approval threshold under the new setup.
- April 1: After Drift executed a legitimate insurance-fund test withdrawal, the attacker submitted the pre-signed durable-nonce transactions. Two transactions, four slots apart, created and approved a malicious admin transfer, then executed it, giving the attacker protocol-level control. Within minutes they deployed a fraudulent withdrawal mechanism and emptied vaults.
Funds stolen and movement
- On-chain researchers traced roughly $270 million stolen across dozens of tokens. Major portions included:
- ~$155.6M in JPL tokens
- ~$60.4M in USDC
- ~$11.3M in CBBTC
- ~$5.65M USDT, ~$4.7M wETH, ~$4.4M WBTC, plus DSOL, JUP, JITOSOL, MSOL, BSOL, EURC and others
- The primary drainer wallet was funded eight days before the attack (via NEAR intents) but remained idle until execution.
- Stolen funds were routed through intermediary wallets that had been funded the day before using Backpack (which requires identity verification) — a possible investigative lead.
- From Solana assets were bridged to Ethereum via Wormhole; several Ethereum addresses were pre-funded through Tornado Cash.
- Notably, investigators observed over $230M in USDC bridged from Solana to Ethereum through Circle’s CCTP in 100+ transactions. Circle was criticized for not freezing those USDC during a roughly six-hour window after the attack began.
Broader context and implications
- On-chain investigators and social-media sleuths likened this to other large incidents where operational or social-engineering failures — not code bugs — led to massive losses (examples called out by the community include Bybit, Ronin, and Cetus).
- The core failure was the human/operational layer around the multisig: durable nonces let signing and execution be separated by weeks, letting signers approve actions that no longer matched the later context.
- Drift has frozen the protocol, removed the compromised wallet from the multisig, and is withdrawing and safeguarding insurance-fund assets. Deposits into borrow-and-lend products, vault deposits, and trading funds are affected; DSOL tokens not deposited in Drift remain unaffected.
Open questions
- How exactly were two multisig members induced to approve transactions they didn’t understand?
- Could wallets, multisig tools, or UI/UX be improved to flag durable-nonce transactions, require re-confirmation at execution, or otherwise mitigate this vector without breaking legitimate workflows?
- Will centralized onramps and issuers like Circle change incident-response practices after criticism that freezing didn’t occur during the critical window?
Why this matters
- The durable-nonce vector exploits a feature built for legitimate custody needs and is therefore hard to eliminate without changing multisig approval models on Solana.
- This incident underscores a larger trend: major DeFi losses increasingly stem from social engineering and operational security lapses rather than smart contract bugs, shifting where projects must focus their defenses — on governance, signing practices, and UX that prevents misrepresentation.
Drift says it will publish a more detailed postmortem. Investigators are following on-chain traces and the identity-linked leads through Backpack and NEAR funding activity.
Read more AI-generated news on: undefined/news
