The attack on Drift Protocol was not a traditional hack. Instead, an attacker used "durable nonces," a legitimate Solana feature, to pre-sign administrative transfers weeks before executing them. This bypassed the protocol’s multisig security in minutes.
Durable nonces allow transactions to remain valid indefinitely until submitted, which created a gap between approval and execution. The attacker gained two signatures from the Security Council, locking in transactions that were executed on April 1.
Within minutes, the attacker took full control of Drift’s protocol-level permissions and drained vaults. The total loss reached approximately $270 million across dozens of tokens including JPL, USDC, and BTC.
Stolen funds were routed through NEAR, Backpack, and Ethereum via Wormhole, with Tornado Cash involvement. Circle was criticized for not freezing the stolen USDC during a six-hour window.
This incident marks the third major exploit in recent months not involving smart contract bugs-highlighting growing risks from social engineering and operational failures.
Drift has frozen the protocol and removed the compromised wallet from the multisig. The upcoming postmortem will examine how approvals were misused and whether new tools could flag such transactions.