Full Report
Solana-based decentralized exchange Drift has confirmed that attackers drained about $285 million from the platform during a security incident that took place on April 1, 2026. "Earlier today, a malicious actor gained unauthorized access to Drift Protocol through a novel attack involving durable nonces, resulting in a rapid takeover of Drift’s Security Council administrative powers," the&
Analysis Summary
# Incident Report: Drift Protocol $285M Security Breach
## Executive Summary
On April 1, 2026, the Solana-based decentralized exchange Drift was exploited for approximately $285 million. The attack leveraged a combination of sophisticated social engineering and a novel technical exploit involving "durable nonces" to hijack the protocol's Security Council administrative powers. Attributed to DPRK-linked threat actors, the incident resulted in the unauthorized drainage of assets through the introduction of a fictitious collateral token.
## Incident Details
- **Discovery Date:** April 1, 2026
- **Incident Date:** April 1, 2026 (Preparations began March 23, 2026)
- **Affected Organization:** Drift Protocol
- **Sector:** Decentralized Finance (DeFi) / Cryptocurrency
- **Geography:** Global / North Korea (DPRK) attributed
## Timeline of Events
### Initial Access
- **Date/Time:** March 23, 2026 (Staging began)
- **Vector:** Social Engineering / Durable Nonce manipulation
- **Details:** Attackers targeted multi-signature (multisig) signers through persuasive personas to obtain pre-signed transaction approvals.
### Lateral Movement
- **Movement:** The malicious actors used "durable nonces" to stage transactions that delayed execution. By obtaining enough multi-sig approvals, they bypassed the "Security Council" migration protections.
### Data Exfiltration/Impact
- **Impact:** Once administrative control was obtained, the attackers introduced a fictitious asset, "CarbonVote Token," and wash-traded it to create fake liquidity. They then removed all withdrawal limits and drained $285 million in legitimate collateral.
### Detection & Response
- **Detection:** Rapid takeover of administrative powers and subsequent drainage of funds on April 1.
- **Response:** Drift coordinated with security firms (Elliptic, TRM Labs) and law enforcement. They contacted bridges and exchanges to freeze stolen assets and investigated on-chain signatures and Pyongyang-timed deployments.
## Attack Methodology
- **Initial Access:** Social engineering of multisig signers using "DangerousPassword" personas.
- **Persistence:** Unauthorized takeover of Drift’s Security Council administrative powers.
- **Privilege Escalation:** Exploiting a zero-timelock Security Council migration and pre-signed durable nonces.
- **Defense Evasion:** Use of durable nonce accounts to hide malicious intent within "pre-signed" transaction queues.
- **Credential Access:** Misrepresented transaction approvals (obtained via social engineering).
- **Discovery:** Identification of protocol administrative structures and withdrawal limit mechanisms.
- **Lateral Movement:** Privilege escalation to protocol-level administrative permissions.
- **Collection:** Gathering liquid assets from the protocol using a fake collateral asset.
- **Exfiltration:** Laundering stolen crypto via Tornado Cash and cross-chain bridges.
- **Impact:** Total loss of $285 million; removal of withdrawal limits.
## Impact Assessment
- **Financial:** $285 million USD in drained cryptoassets.
- **Data Breach:** Compromise of administrative multi-sig keys/approvals.
- **Operational:** Rapid loss of protocol liquidity and temporary suspension of normal administrative functions.
- **Reputational:** High public impact; incident linked to major North Korean state-sponsored theft campaigns.
## Indicators of Compromise
- **Network Indicators:** Deployment of malicious contracts at 09:30 Pyongyang time.
- **File/Contract Indicators:** Malicious asset "CarbonVote Token" (fictitious collateral).
- **Behavioral Indicators:** Staging of funds via Tornado Cash; use of durable nonces for delayed transaction execution; rapid removal of pre-set withdrawal limits.
## Response Actions
- **Containment:** Coordination with exchanges and bridges to freeze known attacker addresses.
- **Eradication:** Post-incident analysis of all multi-sig signatures to ensure no further pre-signed transactions remain.
- **Recovery:** Working with security partners to trace assets and restore protocol governance.
## Lessons Learned
- **Key Takeaways:** Even "secure" multisig setups are vulnerable if signers can be social-engineered into pre-signing transactions. The lack of a timelock on administrative migrations provided no window for intervention.
- **Shortcomings:** The protocol’s oracles allowed a newly created, wash-traded asset (CarbonVote) to be treated as high-value collateral immediately.
## Recommendations
- **Governance Controls:** Implement mandatory 24-48 hour timelocks for all administrative or Security Council migrations.
- **Oracle Guardrails:** Impose "liquidity-adjusted" collateral limits to prevent fictitious or low-liquidity tokens from being used for massive borrows.
- **Security Awareness:** Enhanced training for multisig signers regarding "transaction masquerading" and the risks of durable nonces.