Drift Protocol Loses $280M as Attacker Uses Durable Nonce Accounts to Seize Admin Control

TLDR:

• The attacker used durable nonce accounts to pre-sign transactions weeks before executing the $280M drain on Drift Protocol. 
• No smart contract bug was involved — the breach relied on social engineering to obtain 2/5 multisig approvals in advance. 
• Even after a Security Council migration on March 27, the attacker regained access to required signers within a short period. 
• All borrow/lend balances, vault deposits, and trading funds were affected, while DSOL and Insurance Fund assets remained safe.

The Drift Protocol exploit has rattled the decentralized finance space, with attackers draining approximately $280 million from the platform. The breach involved a coordinated admin takeover rather than any smart contract vulnerability.

How the Attacker Gained Control of Drift’s Security Council

The attacker secured access to Drift’s Security Council admin using pre-signed transactions via durable nonce accounts.

This approach allowed transactions to be signed in advance and executed at a later time. There was no evidence of compromised seed phrases linked to the breach. The attack was not the result of any smart contract bug or exploit.

As early as March 23, multiple durable nonce accounts were established across multisig members and attacker-controlled wallets. This pointed to weeks of advance planning and careful staged execution before the attack was carried out.

The attacker likely obtained 2/5 multisig approvals through sophisticated social engineering tactics. Misrepresented transaction approvals are also considered a likely method used to gain those approvals.

On March 27, Drift carried out a Security Council multisig migration, apparently to address the existing security concerns. Shortly after, the attacker regained effective access to the required signers.

This showed that the compromise was persistent and extended well beyond the migration event. The migration did not successfully block the attacker’s ability to proceed with the plan.

According to initial findings shared by SolanaFloor, the attack was highly coordinated and involved weeks of preparation. On April 1, a legitimate insurance fund test transaction took place on the platform.

Just minutes later, two pre-signed nonce transactions were executed in rapid succession. This enabled a near-instant takeover of the protocol’s admin controls.

Withdrawal of Funds and Drift’s Ongoing Response

With full admin control secured, the attacker introduced a malicious asset into the protocol. Withdrawal limits were then removed, and protocol permissions were exploited to drain funds from users.

The total amount withdrawn reached approximately $280 million across the platform. All funds held in borrow/lend, vault deposits, and trading balances were affected by the drain.

Funds not deposited into Drift, including DSOL, were unaffected by the exploit. Insurance Fund assets are currently being moved to safer locations for protection.

All protocol functions have since been frozen to limit further damage. The compromised multisig wallet has also been removed to prevent continued access.

Drift is now actively working with security firms, bridges, and exchanges to trace the stolen assets. Law enforcement agencies have also been brought into the investigation.

The team is coordinating across multiple channels to explore potential recovery options. A full postmortem report is expected to be published in the near future.

No timeline has been shared by Drift for when platform operations might resume. The team confirmed that recovery coordination remains the current priority at this time.

Drift is also working with law enforcement to identify the individuals behind the attack. Further updates are expected as the investigation continues to develop.

The post Drift Protocol Loses $280M as Attacker Uses Durable Nonce Accounts to Seize Admin Control appeared first on Blockonomi.