Solana DeFi Exchange Drift Halts Services After $285M Exploit Scare
- Drift halted deposits and withdrawals after a suspected exploit drained about $280M.
- The breach involved the misuse of durable nonces and sufficient approvals to seize admin control.
- DRIFT dropped 30% as Solana firms and wallet providers moved to contain fallout.
A suspected security breach hit Solana-based decentralized exchange Drift on Wednesday after on-chain activity showed more than $200 million leaving protocol-controlled wallets. The platform then suspended deposits and withdrawals as users tracked rapid transfers from its vaults to an outside address.
In posts on X, Drift said it was facing an active attack and was coordinating with security firms, bridges, exchanges, and law enforcement. The company stressed that the incident was not an April Fools’ joke and later said roughly $280 million had been withdrawn.
The Attack Unfolded Through Rapid Vault Transfers
Reports of unusual activity surfaced about two hours before the protocol published its first public alert. Users observed large transfers moving from the Drift Protocol vault to a Solana wallet beginning with “HkGz4K.”
The first major transfer occurred at about 11:06 a.m., when roughly 41 million JLP tokens worth $155 million left the vault. More tokens soon followed, and the attacker distributed funds across other wallets as the breach widened.
According to Arkham Intelligence, total transfers from the protocol to the attacker’s address exceeded $250 million after Wednesday’s activity. PeckShield Alerts estimated the possible exploit total at up to $285 million.
The Protocol Says Durable Nonces Enabled the Takeover
In a detailed thread, Drift said the attacker gained unauthorized access through a novel operation involving durable nonces and administrative controls. The exchange said the incident did not result from a bug in its programs or smart contracts.
The protocol also said there was no evidence that seed phrases were compromised during the incident. Instead, it said the attack likely relied on unauthorized or misrepresented transaction approvals obtained before execution.
According to the protocol’s account, the attacker pre-positioned access via durable nonce accounts and obtained sufficient approvals to meet a 2-of-5 multisig threshold. That access allegedly enabled a malicious admin transfer and rapid control over protocol-level permissions.
The attacker then introduced a malicious asset and removed all preset withdrawal caps, according to the thread. That sequence allowed existing funds to be drained at speed once administrative control had changed.
Timeline Points to Preparation Before April 1
The protocol said four durable nonce accounts were created on March 23, including two tied to Security Council multisig members. Two others were described as attacker-controlled, pointing to earlier preparation before the withdrawal event.
A planned Security Council migration followed on March 27 due to a change in a council member. On March 30, another durable nonce account was created for an updated multisig member.
The protocol stated that the step again secured effective access for the attacker to 2-of-5 signers. Later on, on April 1, the exchange executed what it described as a legitimate insurance fund test withdrawal.
The insurance fund test withdrawal was linked in the thread through a public Solscan transaction record. About one minute later, two pre-signed durable nonce transactions were executed four slots apart, according to the protocol.
Those transactions allegedly created, approved, and executed the malicious admin transfer. The protocol then froze remaining functions and updated the multisig to remove the compromised wallet.
Related: Crypto Fundraise Turns Controversial After Startup Self-Invests, Issues Apology
Funds Affected as the Wider Solana Ecosystem Responds
The exchange said that borrow-and-lend deposits, vault deposits, and trading collateral were affected by the incident. It added that DSOL not deposited in the protocol, including assets staked to the validator, was unaffected.
Insurance Fund assets were also set to be withdrawn for safeguarding, according to the protocol’s statement. All remaining protocol functions were frozen as a precaution during the investigation.
Forward Industries and DeFi Development Corp said their treasuries were not affected by the exploit. Wallet provider Phantom also added warnings for users attempting to access the protocol while the review continued.
The incident sent the native DRIFT token sharply lower. The token fell nearly 31% on the day to about $0.048, leaving it more than 98% below its November 2024 peak of $2.65.
