Earlier today, a malicious actor gained unauthorized access to Drift Protocol through a novel attack involving durable nonces, resulting in a rapid takeover of Drift’s Security Council administrative powers.

This was a highly sophisticated operation that appears to have involved multi-week preparation and staged execution, including the use of durable nonce accounts to pre-sign transactions that delayed execution.

Based on our investigation to date:

- This was not the result of a bug in Drift’s programs or smart contracts
- There is no evidence of compromised seed phrases
- The attack involved unauthorized or misrepresented transaction approvals obtained prior to execution, likely facilitated through durable nonce mechanisms and sophisticated social engineering

As a result, approximately $280M was withdrawn from the protocol.

The attacker was able to:

- Pre-position access using durable nonce accounts
- Obtain sufficient multisig approvals (2/5 multisig approval)
- Execute a malicious admin transfer within minutes, gaining control of protocol-level permissions
- Use that control to introduce a malicious asset and remove all pre-set withdrawal limits attacking existing funds

All deposits into borrow/lend, vault deposits and funds deposited for trading are affected.

Unaffected:
- DSOL not deposited in Drift (including assets staked to the Drift Validator)
- Insurance Fund assets which will be withdrawn from the protocol for safeguarding

As a precautionary measure, all remaining protocol functions have been frozen and the multisig has now been updated to remove the compromised wallet

Below is the timeline of events.

March 23: Initial Nonce Setup

Four durable nonce accounts were created:
- Two associated with Drift Security Council multisig members
- Two associated with attacker-controlled accounts

Relevant accounts:
a. 45cZ5Fj97Va5Abipr6NN8Zf1BqZqWneSek1hU5cQRvhw — multisig member
b. 39JyWrdbVdRqjzw9yyEjxNtTbTKcTPLdtdCgbz7C7Aq8 — multisig member
c. CZRBcHAvXU6TzzjGuG4rT98UuTR7PBUeSGPZRDW5mfYW — attacker-controlled
d. 48cV6Mw5Y5afT8ofukvtFaMtrsCohHhsv8MfbdW8agh3 — attacker-controlled

Implication:
At least 2/5 multisig signers had signed transactions tied to durable nonce accounts, enabling delayed execution.

March 27: Multisig Migration

- Drift executed a planned Security Council migration due to a council member change.

March 30: Additional Nonce Activity
- A new durable nonce account was created for a member of the updated multisig: 6UJbu9ut5VAsFYQFgPEa5xPfoyF5bB5oi4EknFPvu924

Implication:
The attacker again obtained effective access to 2/5 signers in the updated multisig.

April 1: Execution Phase

Step 1: Legitimate Test Transaction

Drift executed a test withdrawal from the insurance fund:

solscan.io/tx/BkUZ8nss1ap…

Step 2: Admin Takeover (~1 minute later)

The attacker executed two pre-signed durable nonce transactions (4 slots apart):

- Create + approve malicious admin transfer solscan.io/tx/2HvMSgDEfKh…
- Approve + execute malicious admin transfer solscan.io/tx/4BKBmAJn6Td…

This attack was enabled by a combination of:

- Pre-signed durable nonce transactions, allowing delayed execution
- Compromise of multiple multisig signers’ approvals, likely through targeted social engineering or transaction misrepresentation

Drift Protocol is coordinating with multiple security firms to determine the cause of the incident. Drift is also working with bridges, exchanges, and law enforcement to trace and freeze stolen assets. We would welcome any information or help pertaining to the investigation at hello@drift.trade.

A more detailed postmortem will be released in the coming days and as information becomes available to us.