How Did the Drift Exploit Unfold?
Drift disclosed new details on the $280 million exploit that hit its Solana-based trading platform, identifying the attack as a coordinated operation involving pre-approved transactions and compromised governance controls. The incident ranks among the largest decentralized finance exploits to date.
According to the team, the attacker gained unauthorized access by leveraging durable nonce accounts, which allow pre-signed transactions to be executed at a later time. This enabled the attacker to pre-position control and execute actions without immediate detection.
Drift stated: “A malicious actor gained unauthorized access to Drift Protocol through a novel attack involving durable nonces, resulting in a rapid takeover of Drift’s Security Council administrative powers.”
The attacker also secured multisig transaction approvals in advance, likely through social engineering or transaction misrepresentation. With protocol-level permissions compromised, the attacker introduced a malicious asset and removed withdrawal limits, enabling the rapid draining of funds.
The protocol ruled out a smart contract vulnerability or seed phrase compromise, pointing instead to weaknesses in governance and transaction authorization processes.
What Does This Say About Multisig Security in DeFi?
The exploit highlights a structural risk in multisig governance systems. While multisig wallets are widely used to secure protocol upgrades and treasury movements, they remain vulnerable if signers approve transactions without fully verifying intent.
In this case, approvals were obtained before execution, allowing the attacker to activate malicious actions at a later stage. This delayed execution model reduces visibility and creates a window for exploitation, particularly when combined with social engineering tactics.
By gaining control over administrative permissions, the attacker bypassed traditional safeguards and executed changes at the protocol level rather than exploiting code vulnerabilities.
Investor Takeaway
Why Is Circle Facing Criticism?
The exploit has also drawn attention to stablecoin issuer Circle and its response to the incident. Onchain investigator ZachXBT criticized the company for failing to freeze approximately $230 million in USDC linked to the attack.
Citing onchain data, ZachXBT said the funds were bridged from Solana to Ethereum using Circle’s Cross-Chain Transfer Protocol. “Value was moved and nothing was done yet again,” he wrote, adding: “Six hours is how long Circle had to freeze stolen funds from the $280M+ Drift hack.”
The criticism reflects ongoing concerns around centralized control in stablecoin systems. While issuers like Circle have the ability to freeze assets, decisions on when and how to act remain opaque, creating tension between decentralization principles and operational control.
ZachXBT has previously raised similar concerns after Circle froze wallets tied to unrelated cases, highlighting inconsistencies in enforcement and response timing.
Investor Takeaway
What Are the Broader Market Implications?
Drift has frozen remaining protocol functions and updated its multisig structure to remove the compromised wallet. The team is working with exchanges, bridges, and law enforcement to track and recover the stolen funds.
The platform, which has more than $550 million in total value locked, is a core component of the Solana ecosystem, particularly in perpetual futures trading. The exploit affects multiple asset types, including SOL, USDC, wrapped bitcoin, and liquidity pool tokens.
