Written by: Wu Says Blockchain

Around April 2, 2026, several on-chain monitoring and media outlets reported a significant outflow of funds from the Solana ecosystem derivatives and lending integration protocol Drift Protocol. The project team confirmed that they were under attack, resulting in approximately $280 million in funds being stolen. The protocol has suspended deposits and withdrawals and is working to manage the situation with security agencies, cross-chain bridges, and trading platforms.

What is Drift Protocol?

Drift is a composite DeFi protocol of the "exchange-like" type: one of the leading trading protocols that launched in 2021, starting with perpetual contracts on Solana and later expanding to spot trading, lending, and more "one-stop protocol" narratives. Drift's official statement in 2024 indicated that the protocol had over $350 million in Total Value Locked (TVL), more than 175,000 traders, and a cumulative trading volume exceeding $20 billion. In September of the same year, they completed a $25 million Series B round, bringing total funding to $52.5 million.

Mechanically, Drift's documentation explicitly acknowledges its reliance on external oracle accounts and has designed "safeguards" including oracle validity checks, TWAP trimming, price deviation bandwidth verification, and market information updates when necessary to limit specific actions. Historically, the narrative has emphasized that if oracle prices are "invalid or manipulated," it may lead to exchange assets being drained within a short time, necessitating multi-step verification and "multi-range circuit breakers" to create a reaction window.

However, this attack event shows that even when a protocol has relatively complete "market risk control safeguards," as long as attackers can access or influence the "permission layer" (administrator keys, multi-signatures, governance channels for risk parameters), they may turn the safeguards themselves into tools for embezzlement—such as distorting certain thresholds or irrationally raising the collateral weight of certain assets, ultimately allowing the system to "legally" execute asset transfers under the condition of "rules being rewritten."

Drift Protocol Response to $280 Million Loss: Social Engineering and Durable Nonce Mechanism Attack

Drift Protocol released a statement regarding today's security incident, in which a malicious actor gained unauthorized access to the protocol through a new type of attack involving durable nonce, quickly taking control of the Drift Security Committee's management authority. Drift stated that this is a highly complex attack operation, suspected to have been planned for weeks and executed in phases, including using durable nonce accounts to pre-sign transactions and delay execution, among other techniques.

According to Drift's current investigation results, this incident was not caused by vulnerabilities in the Drift program or smart contracts, and there is no evidence that related mnemonic phrases were leaked. Drift believes that the attacker obtained unauthorized or disguised transaction approvals before execution, with the durable nonce mechanism and complex social engineering methods likely playing a key role. The incident resulted in approximately $280 million worth of assets being transferred out of the protocol.

Drift indicated that the attacker was able to complete the attack through several steps: first by pre-deploying access paths via the durable nonce account; subsequently obtaining sufficient approval authority in the multi-signature, specifically a 2/5 approval; then executing a malicious administrator privilege transfer within minutes to gain protocol-level control; finally, using that authority to introduce malicious assets and removing all existing withdrawal limits, thereby attacking the existing funds.

Currently, all funds deposited in the lending module, treasury, and trading accounts have been affected. Unaffected assets include: DSOL not deposited in Drift, including assets pledged to Drift Validators; as well as insurance fund assets, which will be withdrawn from the protocol and transferred to a more secure environment for protection.

As a precaution, Drift has frozen all remaining functions of the protocol and updated the multi-signature configuration to remove the affected wallets.

This incident has spilled over to multiple DeFi protocols in the Solana ecosystem. Projects such as Reflect Money, Ranger Finance, Neutral Trade, Elemental DeFi, Project 0, Lulo Finance, Asgard Finance, DeFi Carrot, Pyra, xPlace, and Fuse Wallet have confirmed being affected, with some projects suspending minting, redemption, or deposit/withdrawal functions. Ranger Finance stated it faced a risk exposure of approximately $900,000, about 6% of its TVL; Pyra mentioned that users' funds affected while earning returns on Drift have led to the suspension of related card functions.

Technical Analysis: Fake CVT Tokens and Oracle Manipulation

According to analysis by Helius developer Ichigo, the Drift Protocol incident may be related to the attacker constructing fake CVT tokens and manipulating the Switchboard oracle, thereby creating an attack path; they claim the attacker then entered the governance process of the security committee through social engineering methods, pushing the token to be listed as a high-weight collateral asset under conditions where multi-signature permissions may have been compromised; the attacker minted "fake tokens" weeks in advance and created a pricing anchor in the pool on Raydium with extremely low liquidity (about $500), continuously manufacturing price and transaction traces through wash trading to pave the way for subsequent oracle price historical records. Notably, the attacker deposited around 20 million CVT tokens valued near zero; once the price was inflated to over $100 million, they used this as collateral to borrow real assets within the protocol and transfer funds, with the overall scale expected to exceed $200 million.

Market Immediate Reaction

After the attack on Drift Protocol, its governance token DRIFT plummeted over 40% in the last 24 hours, while the annualized negative interest rate for the DRIFT U perpetual contracts on major exchanges like Binance has surged to the maximum level, exceeding 6,000%, with significant subsidies from the shorts to the longs.

Timeline of the Incident

On March 23, the attacker completed the initial nonce layout. That day, four durable nonce accounts were created, two of which were related to members of Drift's Security Committee, and the other two were controlled by the attacker. Drift believes this indicates that at least 2/5 of the multi-signature signers had signed transactions related to the durable nonce accounts, allowing for delayed execution.

On March 25: The suspected attacker's main wallet address (HkGz4KmoZ7Zmk7HN6ndJ31UJ1qZ2qgwQxgVqQwovpZES) received initial funding through Near Intents, remaining inactive for a long time, until the day of the attack when it suddenly activated and received a large amount of funds from Drift's treasury.

On March 27, Drift executed a planned multi-signature migration due to a change in the members of the security committee.

On March 30, new durable nonce activity reappeared. A new durable nonce account was created for one of the members in the updated multi-signature. Drift believes this indicates that the attacker again obtained practical access to 2/5 of the signers in the updated multi-signature.

On April 1, the attack entered the execution phase. First, Drift executed a test withdrawal transaction from the insurance fund. About one minute later, the attacker quickly executed two pre-signed durable nonce transactions, with only four slots between the two transactions. The first transaction was used to create and approve the malicious administrator transfer, while the second transaction was used to approve and execute that malicious administrator transfer. At this point, the attacker officially took over key privileges of the protocol.

From the afternoon to evening of April 1, on-chain monitoring tools like MLM detected abnormal fund flows in the related addresses, with a total scale of approximately $270.6 million (about 50% of Drift's TVL), mainly involving assets like JLP and USDC. Helius CEO mert indicated that on-chain signs suggested that the protocol might have been attacked; Drift's official statement was released immediately afterward, confirming that they were observing unusual activities in the protocol and advising users not to deposit funds until further notice.

Drift stated that the realization of this attack hinged on two combined factors: first, the pre-signed durable nonce transactions that enabled the attacker to delay execution at a future point; second, the approvals of multiple multi-signature signers being compromised, which was likely achieved through targeted social engineering attacks or transaction information disguise.

Industry Experts' Views and Governance Reflection

Ledger's Chief Technology Officer Charles Guillemet stated that this attack was not due to a smart contract vulnerability but rather long-term sabotage of the multi-signature mechanism. The hacker allegedly controlled the devices or private keys of the multi-signature holders, misleading operators to approve malicious transactions. This method is highly similar to the Bybit incident, which is suspected to be related to North Korean hacker groups (DPRK) from last year. He calls on the industry to enhance endpoint detection capabilities and adopt hardware-backed plaintext signatures to prevent operational risks.

Uniswap founder Hayden Adams bluntly stated that centralized projects must stop claiming to be DeFi; if an administrator key can empty all funds, it essentially is CeFi. Chaos Labs founder Omer Goldberg added that the signature keys of the Drift protocol have complete control over market creation, oracle distribution, and withdrawal limits, and the lack of a time lock allowed the attacker to reportedly complete the fund theft in about 10 seconds.

Fund Tracking and Subsequent Response

On-chain tracking shows that the suspected attacker's address (HkGz4KmoZ7Zmk7HN6ndJ31UJ1qZ2qgwQxgVqQwovpZES) quickly transferred/exchanged funds after the attack, and transferred them cross-chain to Ethereum via Wormhole. When part of the USDC was transferred through the Circle CCTP bridge, Circle did not promptly freeze the flow of funds, leading to criticism from Delphi Digital co-founder Tommy Shaughnessy and on-chain detective ZachXBT, who argued that Circle reacted slowly despite having centralized freeze capabilities.

Currently, Drift is collaborating with several security firms to investigate the root cause of the incident while also working with cross-chain bridges, exchanges, and law enforcement agencies to track and freeze the stolen assets. Drift stated that a more detailed post-incident analysis report will be released in the coming days, and welcomes any information or leads related to the investigation.

免责声明：本文章仅代表作者个人观点，不代表本平台的立场和观点。本文章仅供信息分享，不构成对任何人的任何投资建议。用户与作者之间的任何争议，与本平台无关。如网页中刊载的文章或图片涉及侵权，请提供相关的权利证明和身份证明发送邮件到support@aicoin.com，本平台相关工作人员将会进行核查。