Skip to content
Est. MMXXVIVol. VI · № 273RSS
Blockchain Breaches

An archive of cryptocurrency security incidents — hacks, exploits, bridge failures and rug pulls, documented with on-chain evidence.

Dossier № 268Frontend Hijack

Drift Protocol Durable-Nonce Hijack

DPRK social-engineers tricked Drift Security Council members into blind-signing durable-nonce txs that handed over admin control, draining $285M on Solana.

Date
Victim
Drift Protocol
Chain(s)
Solana
Status
Funds Stolen
Attribution
Suspected Lazarus Group (DPRK)

On April 1, 2026, the Solana perpetuals exchange Drift Protocol lost approximately $285 million — the second-largest exploit in Solana history, after Wormhole. The attack capped a six-month social-engineering campaign in which operators posing as a quantitative-trading firm cultivated trust with Drift contributors and ultimately tricked Security Council members into blind-signing durable-nonce transactions that silently transferred admin control of the protocol.

What happened

Drift's admin permissions were held by a Security Council multi-signature scheme. As long as the Council signed nothing malicious, Drift was secure. The attack chain was designed to make the Council sign something malicious without realising it.

Solana supports durable nonces — a primitive that lets users construct a transaction in advance, sign it, and have a separate party submit it for execution later. The mechanism is useful for offline signing, batch operations, and certain custody flows. It is also dangerous, because a signed durable-nonce transaction can sit dormant for an arbitrary period and be triggered at the attacker's discretion.

The attackers (whose laundering pattern, infrastructure, and tradecraft were linked to DPRK actors by multiple firms):

  1. Posed as a quantitative trading firm beginning Fall 2025. Built business relationships with Drift contributors, including Security Council members. Conducted meetings, technical discussions, and joint research over months.
  2. Eventually proposed a "trading integration" or similar technical engagement that required Council members to pre-sign a set of durable-nonce transactions for ostensibly innocuous purposes (the precise pretext varied by target).
  3. The transactions presented to signers via wallets and signing UIs were made to display benign payloads — through some combination of UI-deception, calldata obfuscation, and the inherent difficulty of reading Solana program-derived address structures at signing time.
  4. Underneath the displayed payloads, the actual signed instructions transferred admin control of the Drift protocol to attacker-controlled keys.
  5. The signed durable-nonce transactions sat dormant for weeks.
  6. On April 1, 2026, the attackers triggered the transactions. Admin control silently passed. They then whitelisted a worthless attacker-deployed token (CVT) as collateral, deposited 500M CVT against an artificial price, and withdrew $285M in real assets — USDC, JLP, cbBTC, SOL, JitoSOL, WETH, WBTC, FARTCOIN, and others.

Aftermath

  • Drift paused the affected vaults as soon as the unauthorised withdrawals were detected. By then, >50% of TVL had been drained.
  • The Solana Foundation announced a programme to help fund security investments at major Solana DeFi protocols in the wake of the incident — including formal-verification grants and shared monitoring infrastructure.
  • On-chain forensics linked Tornado Cash withdrawals from March 10-11, 2026 to staging activity for the operation — establishing a long-running multi-month preparation window.
  • Recovery efforts focused on the laundering trails; partial freezes occurred at major exchange chokepoints. The bulk of the funds were laundered through standard Lazarus routes.

Why it matters

The Drift hack is the textbook case for why social engineering + signing-UI deception is now the dominant high-value attack vector in crypto. The same pattern has played out at much higher scale:

  • Radiant Capital (Oct 2024, $53M) — Telegram phishing → macOS malware → UI-deception of Gnosis Safe signers.
  • Bybit (Feb 2025, $1.46B) — Safe{Wallet} developer compromise → frontend JS injection → signers approved malicious calldata.
  • Drift (Apr 2026, $285M) — Six-month relationship-building → blind-signed durable nonces → silent admin takeover.

The structural lesson is consistent: the security boundary of multi-sig is the integrity of what the signers see when they sign, and that integrity is increasingly under sustained, well-resourced state-aligned attack. The defensive response — out-of-band calldata verification, blind-signing prohibitions on hardware wallets, independent transaction-simulation displays, durable-nonce policy controls — is becoming standard practice but lags the attacker's evolution.

For the Solana ecosystem specifically, the Drift incident foregrounded durable nonces as a governance-level risk that had not been widely understood, and prompted broader review of every protocol that uses them in admin paths.

Sources & on-chain evidence

  1. [01]chainalysis.comhttps://www.chainalysis.com/blog/lessons-from-the-drift-hack/
  2. [02]trmlabs.comhttps://www.trmlabs.com/resources/blog/north-korean-hackers-attack-drift-protocol-in-285-million-heist
  3. [03]crypto.newshttps://crypto.news/drift-protocols-285m-hack-exposes-social-engineering-threat-to-solana-defi/

Related filings