On April 1, Solana-based decentralized perpetuals exchange Drift Protocol confirmed an active security breach that resulted in the loss of approximately $280 million in user funds. Within minutes of detecting irregular on-chain transactions, the Drift team suspended all deposits and withdrawals and mobilized its security partners to contain the incident. Drift’s postmortem report later revealed that the attacker exploited a pre-signed durable nonce mechanism to execute delayed transactions without detection. This approach allowed the malicious actor to lure multisig signers into approving what appeared to be legitimate admin operations, triggering an instantaneous threshold bypass.
The breach unfolded in two stages. First, the exploiter obtained two of five required signatures on the protocol’s new multisig address, which had been deployed only days prior as part of a planned upgrade. One retained signer from the previous multisig shrine inadvertently retained access, and the attacker compromised two additional signers through targeted operational security failures. Within a zero-second timelock window, the actor submitted and approved a proposal transferring all assets from Drift’s liquidity vault—comprising USDC, wrapped Bitcoin, wrapped Ethereum, and other SPL tokens—to an external wallet.
Blockchain analysis by Elliptic and CertiK indicated that funds were bridged via Circle’s Cross-Chain Transfer Protocol (CCTP) to Ethereum minutes after the drain. Elliptic’s threat intelligence flagged wallet addresses previously linked to North Korean state-sponsored cybercrime campaigns. Historical DPRK exploits, including the $1.5 billion Wormhole hack in 2022 and the $2 billion Bybit incident in February 2025, share behavioral similarities: reliance on durable nonces or time-delay windows and prioritization of high-liquidity stablecoin flows.
Industry stakeholders responded swiftly. The Solana Foundation initiated a code audit of durable nonce handling, while Circle paused legacy mesh routing nodes to prevent further unauthorized USDC bridges. Drift Protocol engaged law enforcement, including the U.S. Department of Justice’s National Cryptocurrency Enforcement Team, to trace stolen assets across centralized and decentralized platforms. On-chain recovery options remain limited, but protocol governance has proposed a collateral recovery plan funded by ecosystem insurance pools.
The exploit underscores persistent vulnerabilities in multisignature schemes and the human element in operational security. Drift’s founder announced plans to integrate hardware-based key management solutions and mandate multi-party approvals via threshold signature schemes (TSS) with extended time-locks. As DeFi TVLs exceed $200 billion across networks, the Drift hack serves as a reminder that governance hygiene and cross-chain risk controls are critical to safeguarding decentralized financial infrastructure.
Comments (0)