On April 2nd, the Drift Protocol team released a post-mortem analysis of the hack that drained approximately $280 million from the protocol the previous day.
According to the report, the attack did not exploit any flaws in the protocol code, but rather was a multi-week campaign involving a combination of attacks. Techniques to deceive members into pre-signing transactions of the platform management body.
The team updated the amount to be $280 million, slightly higher than the $270 million reported in the hours after the hack. All deposits in loans, safes and trading facilities were affected. As of this writing, the protocol remains frozen.
As reported by CriptoNoticias, Drift Protocol is the primary decentralized exchange (DEX) for perpetual futures in Solana, and the affected attack represents the largest exploit in the Solana ecosystem since the Wormhole Bridge hack in 2022.
How did the attack happen?
According to a statement from Drift, the attacker leveraged the Solana network’s mechanisms to Pre-sign transactions and keep them valid It can run indefinitely at any time in the future.
These pre-signed transactions are called persistent nonces and are a legitimate tool of the protocol, typically used to automate scheduled payments. in this case, Attackers used them to obtain necessary approvals in advance We will obtain the authority of the Drift Security Council, the body that controls administrative powers for the protocol, and implement them in a few weeks.
The council operates under a two out of five multi-signature scheme. At least two signatures out of a possible five are required to approve an administrative action. Because the two signers were compromised via a persistent nonce, the attacker had everything they needed to seize control without necessarily knowing what the signers were allowing.
Attack timeline
As the Drift team explained, the operation took place over 10 days in three stages.
On March 23rd, the attacker created four persistent nonce accounts. Two were associated with members of Drift’s multisig, and two were under its own control. At the time, at least two of the five signatories on the council approved transactions associated with these accounts without knowing that they were pre-approving actions that would later be taken.
On March 27, Drift carried out the planned transition of the Security Council with a change in membership. Three days later, on March 30th, the attacker created a new persistent nonce account associated with the upgraded council member. This effectively reestablishes access to two of the five new multisig signatures.
On April 1st, the implementation phase arrived. Mr. Drift first made legal test trades from insurance funds. One minute later, the attacker executed two signed transactions. The first created and approved a malicious administrative transfer. The second he executed. Within minutes, they took full administrative control of the protocol, introduced malicious assets, removed all pre-set withdrawal limits, and depleted funds.
According to the statement, the team has not ruled out the possibility that the signatories were victims of social engineering or misleading representations of the transactions they approved, but the cause of this has not been confirmed and the investigation continues.
Which drift operations are affected?
Users who deposit funds into the protocol for lending, trading, or drift storage will be affected, according to the statement.
DSOL tokens that were not deposited on Drift were not affected, including assets staked with the platform’s own validators. Insurance Fund assets were preemptively removed from the Protocol.
Multisig updated To delete a compromised wallet. Drift claims to be working with security companies, exchanges, bridges and authorities to track and freeze stolen assets.
Ecosystem voice
on-chain researcher ZachXBT Target CircleThe USDC issuer accused the company of taking no action while large amounts of stablecoins were being transferred from Solana to Ethereum during the attack.
According to ZachXBT, the transfer of funds took place for hours without intervention (knowing that it had the ability to freeze USDC tokens) via the CCTP cross-chain transfer protocol created by Circle. He also pointed out that Circle’s tracking of the funds’ destination contained errors. This means that the attacker’s SOL was not sent to Hyperliquid or Binance. However, it is bridged from Solana to Ethereum via Chainflip.
Charles Guilmet, chief technology officer at hardware wallet maker Ledger, said the attack pattern was similar to last year’s Bybit hack, believed to be by North Korean-linked attackers, and was a patient and sophisticated operation that targeted humans and operational layers rather than code.
Guillemet believed that the signatories may believe they are authorizing a legitimate operation while unknowingly authorizing the emptying of the protocol.
The executive also called for improvements in industry security standards, including better detection of compromised environments, hardware key management, and clearer visibility into signature content.
Finally, the team at Jupiter, Solana’s largest decentralized exchange, revealed that their protocol is not exposed to drift markets and that the JLP token is fully backed by the underlying asset.
Drift’s statement describes a detailed strategy. After weeks of preparation, security migration and execution, access was restored within a minute. The team continues to work with brokerages, exchanges and authorities to trace the funds, but so far there have been no confirmed results.
(Tag translation) Casa de Cambio (Exchange)
