Drift Protocol's $270M Exploit: How Solana's Durable Nonces Became a Social Engineering Weapon

TL;DR

On April 1, 2026, an attacker drained between $270 and $286 million from Drift Protocol on Solana. No smart contract bug. No stolen keys. Instead, the attacker abused a legitimate Solana feature called "durable nonces" to socially engineer two of five Security Council multisig signers into approving misleading transactions, then sat on those pre-signed transactions for over a week before executing them in under a minute. Funds moved out through NEAR, Circle CCTP, Wormhole, and Tornado Cash. Blockchain analytics firm Elliptic has identified multiple indicators suggesting the exploit is linked to the DPRK.

No Bug, No Key Compromise, No Flash Loan

The Drift exploit didn't follow any of the familiar playbooks. No reentrancy. No oracle manipulation. No stolen private key. The attacker used a feature that works exactly as designed.

Solana's durable nonces let the attacker separate the moment a transaction was approved from the moment it was executed by more than a week. Two multisig signers thought they were approving routine operations. They were actually signing their protocol's death warrant.

This comes barely a year after Bybit lost $1.5 billion to a similar social engineering attack on multisig signers. Two nine-figure exploits in fourteen months, both caused by operational failure rather than code vulnerabilities. At some point, the industry has to stop treating this as an edge case.

How Solana's Durable Nonces Work

Every Solana transaction includes a recent blockhash, a cryptographic reference to a recent block that proves the transaction was created recently. This blockhash expires after roughly 150 slots, or about two minutes, governed by MAX_PROCESSING_AGE in the Solana SDK. Miss that window and the transaction is dead. This is intentional. It prevents old, stale transactions from being replayed.

Durable nonces sidestep this entirely. Instead of a recent blockhash, a transaction references a nonce value stored in a dedicated on-chain account. That nonce doesn't expire on a timer. The transaction stays valid indefinitely, as long as the nonce account exists and its stored value hasn't changed. There are only three ways to kill it:

1. The transaction gets submitted and executed
2. Someone advances the nonce account, replacing the stored value with AdvanceNonceAccount, which invalidates anything referencing the old nonce
3. The nonce account gets closed by withdrawing all SOL via WithdrawNonceAccount

The feature exists for good reasons. Hardware wallets, air-gapped signing setups, and institutional custody workflows all need more than two minutes to collect signatures and submit. Durable nonces give them that flexibility.

The tradeoff should be obvious. Once a signer approves a durable nonce transaction, that approval is permanent unless someone explicitly advances or closes the nonce account. Most multisig implementations don't monitor or rotate nonce accounts. Nobody's watching. The signed transaction just sits there, ready to fire, for as long as the attacker wants.

Drift's Security Council: The Target

Drift Protocol was governed by a Security Council multisig: a 2-of-5 configuration where any two of five council members could authorize protocol-level actions. The timelock was set to zero seconds. Once two signatures landed, execution was instant. No delay window. No chance for other council members to review or veto. As one community member put it: "2/5 multisig for a 500M TVL with no time lock is crazy."

Multisigs are supposed to prevent exactly this kind of attack. The whole point is that compromising one person shouldn't be enough. You need collusion or multiple independent breaches.

The attacker didn't need either. They needed two signatures on misleading transactions, and durable nonces meant those signatures didn't have to be collected and used in the same sitting.

Drift later described the approvals as "unauthorized or misrepresented transaction approvals," which strongly suggests the signers believed they were approving something routine. The exact social engineering method hasn't been disclosed.

The Attack Timeline

The setup took nine days. The execution took less than a minute.

The execution on April 1 took two transactions, four Solana slots apart:

1. Transaction 1: Created and approved a malicious admin transfer using the pre-signed authorizations
2. Transaction 2: Approved and executed the transfer, giving the attacker full control of Drift's protocol-level permissions

With admin control secured, the attacker introduced a fraudulent withdrawal mechanism and drained the vaults.

What Was Stolen

The asset breakdown, as reported by CoinDesk, totaled roughly $270 million across dozens of tokens (Elliptic's independent estimate puts the figure at $286 million):

All user deposits into Drift's borrow-and-lend products, vault deposits, and trading funds were affected. DSOL tokens not deposited in Drift, including assets staked to the Drift validator, were unaffected.

Fund Flow: NEAR, Backpack, Wormhole, Tornado Cash

The laundering infrastructure was pre-built and layered across multiple chains.

Funding the attack:

• The primary drainer wallet was funded with 1 SOL eight days before the exploit via NEAR Intents, a cross-chain execution layer that routes value across 35+ blockchains. Useful for obfuscating fund origins. The wallet sat dormant until execution day.
• Intermediary wallets used during the drain were funded just one day before via Backpack, a VARA-regulated centralized exchange that requires full KYC verification. That potentially gives investigators a traceable identity.

Moving the proceeds:

• Stolen funds were bridged from Solana to Ethereum using both Circle's CCTP v2 (Cross-Chain Transfer Protocol) and Wormhole. CCTP handled the bulk of the USDC transfers through its burn-and-mint mechanism, while Wormhole moved the non-USDC assets.
• On-chain investigator ZachXBT reported that over $230 million in USDC went through CCTP across more than 100 transactions.
• Ethereum-side receiving addresses had been pre-funded using Tornado Cash, the sanctioned privacy mixer.

The Circle Controversy

ZachXBT publicly criticized Circle, the centralized issuer of USDC, for not freezing the stolen USDC during an approximately six-hour window after the attack began around noon Eastern time on April 1. Multiple outlets covered the criticism, though the original posts were made on X.

Circle has the technical ability to blacklist USDC addresses on-chain, rendering the tokens unmovable. They've done it before. The delay, or decision not to act, gave the attacker enough time to bridge the majority of the USDC to Ethereum and start laundering.

As of April 3, 2026, Circle has not publicly responded to the criticism or commented on the Drift exploit. The silence itself has become a point of contention.

Attribution: North Korea

Blockchain analytics firm Elliptic stated it had "identified multiple indicators suggesting that the exploit is linked to the DPRK," stopping short of definitive attribution but noting consistency with known North Korean threat actor tactics. They did not specifically name the Lazarus Group in their initial analysis.

If this sounds familiar, it should:

• Bybit, February 21, 2025: Approximately $1.5 billion in virtual assets stolen (~401,347 ETH per on-chain records). The attacker compromised a Safe{Wallet} developer's machine and injected malicious JavaScript into the Safe UI. The JS replaced legitimate transaction data with a malicious delegatecall, tricking Bybit's multisig signers into unknowingly transferring wallet control. The FBI formally attributed the attack to North Korea's TraderTraitor group five days later.
• Ronin Bridge, March 23, 2022: 173,600 ETH + 25.5 million USDC (~$540-625 million depending on valuation date). The attacker obtained private keys for 5 of 9 validator nodes through social engineering via a fake job offer. Attributed to Lazarus Group by OFAC via an SDN list update on April 14, 2022, with the FBI issuing a concurrent statement.

As one security researcher posting under the handle 'Temmy' noted: "we've seen this before. we've seen this so many times... bybit. $1.4 billion. the attacker compromised the signing infrastructure and tricked signers into authorizing malicious transactions. same concept. social engineering. not code."

Why Durable Nonces Make This Especially Dangerous

Social engineering multisig signers isn't new. What durable nonces add is temporal separation, and that changes the threat model in a way most protocols haven't accounted for.

Without durable nonces, an attacker who tricks a signer into approving a malicious transaction has about two minutes to collect remaining signatures and submit. The attack has to happen in near-real-time. Signers might notice something is off. Monitoring systems can flag unusual activity. The window is tight.

With durable nonces, the attacker can:

1. Collect signatures over days or weeks, approaching each signer independently with different pretexts
2. Wait for the right moment to execute. In this case, the attacker fired immediately after a legitimate insurance fund withdrawal, which may have provided cover
3. Adapt to configuration changes. When Drift rotated a council member on March 27, the attacker simply obtained a new signature from the updated council by March 30
4. Execute cold, with no preceding on-chain activity to trigger alerts

Once a signer has signed, there's no taking it back unless the nonce account is advanced or closed. Most multisig implementations don't build in nonce monitoring or rotation as standard practice.

Lessons for DeFi Security

1. Durable nonce transactions need special handling in multisig workflows. Any Solana multisig should treat durable nonce transactions as high-risk by default. Signers need to verify that the nonce account is controlled by the protocol, not an external party. Signing interfaces should flag when a transaction uses a durable nonce instead of a recent blockhash. This should be loud and obvious.

2. 2-of-N thresholds aren't enough for protocol-level control. A 2-of-5 threshold means an attacker only needs to fool 40% of signers. For operations controlling hundreds of millions in user funds, higher thresholds (3-of-5, 4-of-7) with mandatory timelocks and on-chain governance approvals should be the floor.

3. Temporal separation is the new attack surface. The assumption that "approval equals intent at time of execution" falls apart with durable nonces. Protocols need mechanisms that bind approvals to a specific time window or protocol state, not just a nonce value that can sit around forever.

4. Social engineering is now a leading DeFi attack vector. Two of the three largest DeFi exploits in just over a year, Bybit ($1.5B) and Drift ($270M+), were social engineering attacks targeting multisig signers. Not code exploits. (The $223 million Cetus Protocol exploit in May 2025, by contrast, was a smart contract overflow bug, so code-level auditing obviously still matters.) But the industry's investment in smart contract auditing alone is clearly not enough when most of the money leaves protocols through people, not code.

5. Centralized choke points need faster response playbooks. Circle had six hours to freeze stolen USDC during a $230M+ drain and apparently did nothing. Stablecoin issuers with blacklist capabilities should have automated or near-automated response procedures for incidents at this scale.

Current Status

As of April 3, 2026:

• Drift Protocol has been paused: all deposits, withdrawals, and trading suspended
• The compromised wallet has been removed from the multisig
• Insurance fund assets are being withdrawn and safeguarded
• A detailed post-mortem has been announced but not yet published
• Investigations by ZachXBT, Elliptic, and law enforcement are ongoing

Don't Wait for the Post-Mortem

The Drift attacker created nonce accounts on March 23. The drain happened on April 1. That's nine days of on-chain setup, including privilege escalation and unauthorized parameter changes, that went completely undetected.

An audit wouldn't have caught this. It wasn't a code bug. But continuous monitoring would have flagged the durable nonce account creation, the anomalous signer activity, and the admin permission changes before a single dollar moved.

Tripwire tracks exactly these patterns: privilege escalation attempts, parameter modifications, unusual fund movements, and governance anomalies, 24/7 across your deployed contracts. When something triggers, your team gets alerts in seconds through Slack, Telegram, or email, and pre-configured circuit breakers can freeze operations automatically without waiting for a war room.

Audits tell you the code is safe. Tripwire tells you the code is still safe, right now, in production.

If you're running a multisig controlling user funds, talk to us.

Frequently Asked Questions

How was Drift Protocol hacked?

An attacker socially engineered two of five Security Council multisig signers into approving misleading transactions. The attacker used Solana's durable nonce feature to pre-sign those transactions over a nine-day period (March 23-30), then executed them on April 1 in under a minute. No smart contract vulnerability was exploited. It was an operational security failure.

How much was stolen from Drift Protocol?

Between $270 million (CoinDesk estimate) and $286 million (Elliptic estimate), across JPL tokens ($155.6M), USDC ($60.4M), CBBTC ($11.3M), and dozens of other tokens including USDT, Wrapped ETH, DSOL, WBTC, and FARTCOIN.

Who hacked Drift Protocol?

Blockchain analytics firm Elliptic identified multiple indicators suggesting the exploit is linked to North Korea (DPRK). The attack pattern is consistent with previous DPRK-attributed exploits, including the $1.5 billion Bybit hack in February 2025.

What are Solana durable nonces?

Durable nonces are a Solana feature that allows transactions to remain valid indefinitely instead of expiring after the usual ~2-minute window. They replace the standard recent blockhash with a stored nonce value, enabling offline signing workflows and hardware wallet operations. In the Drift exploit, this feature was abused to separate transaction approval from execution by over a week.

Are Drift Protocol funds safe now?

As of April 3, 2026, Drift Protocol is fully paused. All deposits, withdrawals, and trading are suspended. The compromised wallet has been removed from the multisig, and insurance fund assets are being safeguarded. A detailed post-mortem has been announced but not yet published.

Sources

1. CoinDesk — How a Solana Feature Designed for Convenience Let Attackers Drain $270M from Drift
2. CoinDesk — North Korean Hackers Likely Behind $286M Drift Protocol Exploit (Elliptic)
3. CoinDesk — Solana DeFi Platform Drift Investigates Suspicious Activity
4. Solana Documentation — Introduction to Durable Nonces
5. Elliptic — Drift Protocol Exploited for $286M in Suspected DPRK-Linked Attack
6. FBI IC3 — PSA on Bybit Theft (PSA250226)
7. CyberScoop — Treasury Updates Lazarus Group Sanctions (Ronin)
8. Cyfrin — Inside the $223M Cetus Exploit
9. Protos — Inside the $280M Drift Hack
10. Cube Exchange — Security Briefing: Drift Hack