Earlier today, a malicious actor gained unauthorized access to Drift Protocol through a novel attack involving durable nonces, resulting in a rapid takeover of Drift’s Security Council administrative powers.
This was a highly sophisticated operation that appears to have involved multi-week preparation and staged execution, including the use of durable nonce accounts to pre-sign transactions that delayed execution.
This was a highly sophisticated operation that appears to have involved multi-week preparation and staged execution, including the use of durable nonce accounts to pre-sign transactions that delayed execution.
Based on our investigation to date:
- This was not the result of a bug in Drift’s programs or smart contracts
- There is no evidence of compromised seed phrases
- The attack involved unauthorized or misrepresented transaction approvals obtained prior to execution, likely facilitated through durable nonce mechanisms and sophisticated social engineering
As a result, approximately $280M was withdrawn from the protocol.
- This was not the result of a bug in Drift’s programs or smart contracts
- There is no evidence of compromised seed phrases
- The attack involved unauthorized or misrepresented transaction approvals obtained prior to execution, likely facilitated through durable nonce mechanisms and sophisticated social engineering
As a result, approximately $280M was withdrawn from the protocol.
The attacker was able to:
- Pre-position access using durable nonce accounts
- Obtain sufficient multisig approvals (2/5 multisig approval)
- Execute a malicious admin transfer within minutes, gaining control of protocol-level permissions
- Use that control to introduce a malicious asset and remove all pre-set withdrawal limits attacking existing funds
- Pre-position access using durable nonce accounts
- Obtain sufficient multisig approvals (2/5 multisig approval)
- Execute a malicious admin transfer within minutes, gaining control of protocol-level permissions
- Use that control to introduce a malicious asset and remove all pre-set withdrawal limits attacking existing funds
All deposits into borrow/lend, vault deposits and funds deposited for trading are affected.
Unaffected:
- DSOL not deposited in Drift (including assets staked to the Drift Validator)
- Insurance Fund assets which will be withdrawn from the protocol for safeguarding
As a precautionary measure, all remaining protocol functions have been frozen and the multisig has now been updated to remove the compromised wallet
Unaffected:
- DSOL not deposited in Drift (including assets staked to the Drift Validator)
- Insurance Fund assets which will be withdrawn from the protocol for safeguarding
As a precautionary measure, all remaining protocol functions have been frozen and the multisig has now been updated to remove the compromised wallet
Below is the timeline of events.
March 23: Initial Nonce Setup
Four durable nonce accounts were created:
- Two associated with Drift Security Council multisig members
- Two associated with attacker-controlled accounts
Relevant accounts:
a. 45cZ5Fj97Va5Abipr6NN8Zf1BqZqWneSek1hU5cQRvhw — multisig member
b. 39JyWrdbVdRqjzw9yyEjxNtTbTKcTPLdtdCgbz7C7Aq8 — multisig member
c. CZRBcHAvXU6TzzjGuG4rT98UuTR7PBUeSGPZRDW5mfYW — attacker-controlled
d. 48cV6Mw5Y5afT8ofukvtFaMtrsCohHhsv8MfbdW8agh3 — attacker-controlled
Implication:
At least 2/5 multisig signers had signed transactions tied to durable nonce accounts, enabling delayed execution.
March 27: Multisig Migration
- Drift executed a planned Security Council migration due to a council member change.
March 30: Additional Nonce Activity
- A new durable nonce account was created for a member of the updated multisig: 6UJbu9ut5VAsFYQFgPEa5xPfoyF5bB5oi4EknFPvu924
Implication:
The attacker again obtained effective access to 2/5 signers in the updated multisig.
March 23: Initial Nonce Setup
Four durable nonce accounts were created:
- Two associated with Drift Security Council multisig members
- Two associated with attacker-controlled accounts
Relevant accounts:
a. 45cZ5Fj97Va5Abipr6NN8Zf1BqZqWneSek1hU5cQRvhw — multisig member
b. 39JyWrdbVdRqjzw9yyEjxNtTbTKcTPLdtdCgbz7C7Aq8 — multisig member
c. CZRBcHAvXU6TzzjGuG4rT98UuTR7PBUeSGPZRDW5mfYW — attacker-controlled
d. 48cV6Mw5Y5afT8ofukvtFaMtrsCohHhsv8MfbdW8agh3 — attacker-controlled
Implication:
At least 2/5 multisig signers had signed transactions tied to durable nonce accounts, enabling delayed execution.
March 27: Multisig Migration
- Drift executed a planned Security Council migration due to a council member change.
March 30: Additional Nonce Activity
- A new durable nonce account was created for a member of the updated multisig: 6UJbu9ut5VAsFYQFgPEa5xPfoyF5bB5oi4EknFPvu924
Implication:
The attacker again obtained effective access to 2/5 signers in the updated multisig.
April 1: Execution Phase
Step 1: Legitimate Test Transaction
Drift executed a test withdrawal from the insurance fund:
solscan.io/tx/BkUZ8nss1ap…
Step 2: Admin Takeover (~1 minute later)
The attacker executed two pre-signed durable nonce transactions (4 slots apart):
- Create + approve malicious admin transfer solscan.io/tx/2HvMSgDEfKh…
- Approve + execute malicious admin transfer solscan.io/tx/4BKBmAJn6Td…
Step 1: Legitimate Test Transaction
Drift executed a test withdrawal from the insurance fund:
solscan.io/tx/BkUZ8nss1ap…
Step 2: Admin Takeover (~1 minute later)
The attacker executed two pre-signed durable nonce transactions (4 slots apart):
- Create + approve malicious admin transfer solscan.io/tx/2HvMSgDEfKh…
- Approve + execute malicious admin transfer solscan.io/tx/4BKBmAJn6Td…
This attack was enabled by a combination of:
- Pre-signed durable nonce transactions, allowing delayed execution
- Compromise of multiple multisig signers’ approvals, likely through targeted social engineering or transaction misrepresentation
- Pre-signed durable nonce transactions, allowing delayed execution
- Compromise of multiple multisig signers’ approvals, likely through targeted social engineering or transaction misrepresentation
Drift Protocol is coordinating with multiple security firms to determine the cause of the incident. Drift is also working with bridges, exchanges, and law enforcement to trace and freeze stolen assets. We would welcome any information or help pertaining to the investigation at hello@drift.trade.
A more detailed postmortem will be released in the coming days and as information becomes available to us.
A more detailed postmortem will be released in the coming days and as information becomes available to us.
• • •
Missing some Tweet in this thread? You can try to
force a refresh
