The attack on Drift Protocol was not a hack in the traditional sense.
No one found a bug or cracked a private key. Nor was there a flash loan or a manipulated oracle.
Instead, an attacker used a legitimate Solana feature, ‘durable nonces’, to trick Drift’s security council into pre-authorizing transactions that would be executed weeks later, at a time and in a context that the signers never intended.
The result was a drain of at least $270 million that took less than a minute to execute but more than a week to set up.
What are durable nonces and why they exist
On Solana, every transaction includes a ‘recent blockhash’, essentially a timestamp that proves the transaction was created recently. That block hash expires after about 60 to 90 seconds. If the transaction is not sent to the network within this window, it becomes invalid. This is a security feature and helps prevent old, stale transactions from being replayed later.
Durable nonces override this security feature. They replace the expiring blockhash with a fixed ‘nonce’, a one-time code stored in a special onchain account which keeps the transaction valid indefinitely until someone chooses to submit it.
The feature exists for legitimate reasons. Hardware wallets, offline signing setups and institutional custody solutions all need the ability to prepare and approve transactions without being forced to submit them within 90 seconds.
But unlimited valid transactions create a problem. If you can get someone to sign a transaction today, it can be executed next week or next month according to the system’s hard-coded rules. The signer has no way to revoke their authorization once granted unless the nonce account is manually advanced, which most users do not monitor.
How the attacker used them
Operation’s protocol was governed by a ‘Security Council multisig’, a system where several people (in this case five) share control and any action requires at least two of them to approve. Multisigs are a standard security practice in DeFi, where the idea is that compromising a single person is not enough to steal money.
But the attacker didn’t need to compromise anyone’s keys. All they needed were two signatures, and they appear to have obtained them through what Drift describes as “unauthorized or misrepresented transaction authorizations,” meaning the signatories likely thought they were authorizing a routine transaction.
Here is the Drift timeline published in a Thursday X post.
On March 23, four permanent nonce accounts were created. Two were associated with legitimate members of the Operational Safety Council. Two were controlled by the attacker. This means that the attacker had already obtained valid signatures from two of the five council members, locked into durable nonce transactions that would not expire.
On 27 March, Drift carried out a planned migration from the Security Council to replace a Council member. The striker adapted. On March 30, a new persistent nonce account appeared, linked to a member of the updated multisig, indicating that the attacker had regained the required two-out-of-five authentication threshold under the new configuration.
On April 1 executed the attacker.
First, Drift ran a legitimate test withdrawal from its insurance fund. About a minute later, the attacker submitted the pre-signed durable nonce transactions. Two transactions four slots apart on the Solana blockchain were enough to create and approve a malicious admin transfer, then approve and execute it.
Within minutes, the attacker had full control over Drift’s protocol-level permissions. They used this control to introduce a fraudulent withdrawal mechanism and drain the boxes.
What was taken and where it went
Onchain researchers tracked the fund flows in real time. The breakdown of stolen assets, compiled by security researcher Vladimir S., amounted to about $270 million across dozens of tokens.
The largest single category was $155.6 million in JPL tokens, followed by $60.4 million in USDC, $11.3 million in CBBTC (Coinbase wrapped bitcoin), $5.65 million in USDT, $4.7 million in wrapped ether, $4.5 million in DSOL, $4.4 million in WBTC, millions in FARTCO1, small amounts across $4. JITOSOL, MSOL, BSOL, EURC and others.
The primary drainer wallet was funded eight days prior to the attack via NEAR protocol intents, but remained inactive until the day of execution. Stolen funds were transferred to intermediate wallets funded the day before via Backpack, a decentralized crypto exchange that requires identity verification, potentially giving investigators a head start.
From there, funds were moved to Ethereum addresses via Wormhole, a cross-chain bridge. These Ethereum addresses had been pre-funded using Tornado Cash, the sanctioned privacy mixer.
ZachXBT, a prominent onchain researcher, noted that over $230 million in USDC was bridged from Solana to Ethereum via Circle’s CCTP (Cross-Chain Transfer Protocol) across more than 100 transactions.
He criticized Circle, the centralized issuer of USDC, for not freezing the stolen funds during a six-hour window after the attack began around noon Eastern time.
The attack also resembled recent social engineering attempts, using tactics similar to those seen before, according to a social media post by a user who goes by ‘Temmy’. “We’ve seen this before. We’ve seen it so many times,” the user said.
“bybit. $1.4 billion. attacker compromised signing infrastructure and tricked signers into approving malicious transactions. same concept. social engineering. not code. ronin bridge. $625 million. compromised validator keys. same story. cetus protocol. $223 million. different method but same result. hundreds of millions away.” said the post.
What was not compromised
What failed was the human layer around multisig. Durable nonces allowed the attacker to separate the moment of approval from the time of execution by more than a week, creating a gap where the context of the signed document no longer matched the context in which it was used.
All deposits in Drift’s loan and lending products, bank deposits and trading funds are affected. DSOL tokens not deposited in Drift, including assets staked on the Drift validator, are not affected. The insurance fund’s assets are withdrawn and secured. The protocol has been frozen and the compromised wallet has been removed from multisig.
As such, this is the third major exploit in recent months that did not involve a code vulnerability. Social engineering and operational security failures, rather than smart contract failures, are increasingly how money leaves DeFi protocols.
The durable nonce vector is particularly dangerous because it exploits a feature that exists for good reason and is difficult to defend against without fundamentally changing how multisig authentication works on Solana.
The open question that Drift’s upcoming detailed postmortem will answer is how two separate multisig members approved transactions they did not understand, and whether any tool or interface changes could have flagged persistent nonce transactions that required further investigation.
Read more: North Korean hackers likely behind $286 million Drift Protocol exploit
