weeks of setup, minutes to drain

Solana-based crypto exchange Drift Protocol was hacked for roughly $280 million yesterday as part of a weeks-long operation that likely used social engineering to compromise multiple multisig signers’ approvals.

On April 1, 7 pm UTC+1 time, Drift announced that there was “unusual activity” on the protocol and that users should avoid depositing funds. It stressed, “This is not an April Fools joke.” 

This followed from X users raising alarms that Drift was being exploited and that it was going to be a substantial one. 

Drift then confirmed that it was under an ongoing attack and that it would need to suspend deposits and withdrawals. Researchers began to speculate that Drift’s private keys were compromised. 

Read more: Liquity accused of ‘market manipulation’ after Circle acquisition April Fools’

Drift has since shared a detailed timeline of what took place and how. 

It said, “This was a highly sophisticated operation that appears to have involved multi-week preparation and staged execution, including the use of durable nonce accounts to pre-sign transactions that delayed execution.”

It claims the attack was not caused by a bug in Drift’s programs or smart contracts, there was no evidence of compromised seed phrases, and that the attack involved unauthorized transaction approvals before the hack’s execution.

However, it admitted that these approvals were likely facilitated by a social engineering attack against its staff and the manipulation of “durable nonce mechanisms.”

What went down with Drift

Durable nonce mechanisms are a type of blockchain tool that can bypass blockhash signing and facilitate offline translation signing. 

Drift claims that on March 23, four durable nonce accounts were created, two of which were associated with Drift Security Council multisig members and two associated with attacker-controlled accounts.

Read more: Circle rarely freezes stolen funds but wants reversible transactions

Then, on March 27, “Drift executed a planned Security Council migration due to a council member change.”

Three days later, another durable nonce account was created for a member of the updated multisig, giving the attackers “effective access to 2/5 signers in the updated multisig.”

Day of execution 

Drift claims that on April 1, it executed a test withdrawal from the insurance fund. The attacker then, with access to the multisig approvals, executed “a malicious admin transfer within minutes, gaining control of protocol-level permissions.”

Attackers could then, “Use that control to introduce a malicious asset and remove all pre-set withdrawal limits attacking existing funds.”

Drift hasn’t shared any details about how the likely social engineering attack took place. They can sometimes be the result of an attacker donning a false identity, be it over direct message, email, or phone, and tricking someone into giving them access to key privileges. 

Drift’s partner Circle hasn’t frozen funds

The incident has drawn criticism from the crypto investigator ZachXBT, who took issue with the stablecoin firm Circle and its slow efforts to freeze the stolen funds. 

Drift integrated Circle’s Cross-Chain Transfer Protocol (CTTP) in 2023. ZachXBT noted that “Circle was asleep while many millions of USDC was swapped via CCTP from Solana to Ethereum for hours from the 9 figure Drift hack during US hours.”

“6 hours is how long Circle had to freeze stolen funds from the $280M+ Drift hack,” he said.

Other users have taken issue with the classification of the protocol as “decentralized,” after the attack appears to have exploited centralised mechanisms.

Other users were annoyed that Drift only required two out of the five multig approvals to action the transaction. 

Read more: ‘Bad actor’ Circle slammed for letting stolen $3M USDC sit unfrozen

The platform said that it was working alongside security firms, law enforcement, bridges, and exchanges to figure out what happened and freeze the stolen assets. It added that a more detailed report will arrive in the coming days. 

The Chief Technology Officer for Ledger has already speculated that the events of the hack resemble a similar modus operandi “to the Bybit hack last year, widely attributed to DPRK-linked actors.”

Protos has reached out to Drift for comment and will update this piece should we hear anything back. 

Got a tip? Send us an email securely via Protos Leaks. For more informed news and investigations, follow us on X, Bluesky, and Google News, or subscribe to our YouTube channel.