Relay_Station / Zone_39
TECH
03.04.2026
Drift Protocol Hacked for $280 Million Via Novel Solana Durable Nonce Exploit
Attackers meticulously prepared for weeks, utilizing Solana’s durable nonce to pre-sign a series of malicious transactions that would not expire. This allowed them to orchestrate a precise, high-speed extraction once other elements of their plan were in place. The durable nonce mechanism, typically used for gasless or offline transactions that require indefinite validity, was weaponized to circumvent the usual time-bound transaction windows, giving the perpetrators an unparalleled operational advantage.
Hours before the main exploit, the threat actors gained unauthorized access to a Drift admin key, enabling them to modify critical protocol settings. This was achieved by compromising multiple signers of a 2-of-5 multisig security council, effectively bypassing the protocol's governance safeguards. The ability to manipulate the multisig setup demonstrates a severe breach of administrative control, suggesting either highly targeted social engineering or transaction misrepresentation was involved.
Once administrative control was established and pre-signed transactions were primed, the attackers moved with extreme precision. They emptied three key protocol vaults, including approximately 41.7 million JLP tokens valued at around $155 million. The entire draining process occurred within seconds, showcasing the automated and highly coordinated nature of the operation. The speed of execution left the protocol with little time to react, illustrating the inherent challenges in responding to zero-day exploits on high-throughput blockchains.
Immediately following the asset drain, the stolen funds, totaling between $280 million and $286 million, were rapidly converted into USDC stablecoins and then bridged to the Ethereum network. Blockchain analytics firm Elliptic has attributed the attack to North Korean-linked actors, citing transaction patterns, laundering methodologies, and network signatures consistent with previous state-sponsored operations. This incident marks the 18th suspected DPRK-linked crypto attack in 2026, pushing their year-to-date stolen total past $300 million.
The immediate aftermath saw Drift Protocol suspending all deposits and withdrawals, freezing the platform to prevent further losses and contain the breach. The protocol team has since initiated coordination with multiple security firms, cross-chain bridges, major exchanges, and law enforcement agencies to trace and potentially freeze the illicitly moved assets. Despite these efforts, recovering such a significant sum after it has traversed multiple chains and been dispersed remains a formidable challenge.
This exploit is now recorded as the second-largest in Solana's history, trailing only the 2022 Wormhole bridge attack which resulted in a $326 million loss. The incident has sent ripples through the Solana ecosystem, with SOL's spot price dropping roughly 9% to approximately $78.60 in the hours following the news. The rapid collapse of Drift’s TVL from $550 million to under $250 million underscores the fragility of investor confidence in the face of such large-scale security failures.
The technical sophistication of this attack, particularly the novel use of durable nonces combined with a multisig compromise, presents a stark warning to all DeFi protocols. It highlights that even established security mechanisms can harbor subtle vulnerabilities when combined with other exploit vectors. As protocols continue to innovate, how will the industry adapt its security audits and threat modeling to anticipate and mitigate such intricate, multi-faceted attack strategies before they cause catastrophic losses?
Signals elevate this to HOT_INTEL priority.
// Related_Intel
More_Signals
‹ Return_to_Terminal
Traffic_Nodes
0
Mobile_Relay / Zone_37