The attack on Drift Protocol is not a hacker attack in the traditional sense.
No one found the bug or cracked the private key. There are also no flash loan loopholes or rigged oracles.
Instead, the attackers used the legitimate Solana feature “persistent nonces” to trick Drift’s security committee into pre-approving transactions that would be executed weeks later, at a time and context that the signers never expected.
The result was a loss of at least $270 million and took less than a minute to execute but more than a week to prepare.
What are persistent random numbers and why do they exist?
On Solana, every transaction contains a “recent block hash,” essentially a timestamp that proves the transaction was created recently. The block hash will expire in approximately 60 to 90 seconds. If the transaction is not submitted to the network within this window, the transaction will be invalid. This is a security feature that helps prevent old, stale transactions from being replayed later.
Persistent random numbers override this security feature. They replace expired block hashes with a fixed “nonce,” a one-time code stored in a special on-chain account that keeps a transaction valid indefinitely until someone chooses to commit it.
This feature exists for a valid reason. Hardware wallets, offline signing setups, and institutional custody solutions all need to be able to prepare and approve transactions without being forced to submit them within 90 seconds.
But transactions that are valid indefinitely can cause problems. If you can get someone to sign a transaction today, that transaction can be executed next week or next month based on the system’s hard-coded rules. Once a signer is approved, it cannot be revoked without manually advancing the nonce account, which most users do not monitor.
How attackers use them
Drift’s protocols are governed by “Council Multisig,” a system where control is shared among multiple people (in this case, five), with any action requiring approval from at least two of them. Multi-signature is a standard security practice in DeFi, based on the idea that compromising one person is not enough to steal funds.
But the attacker doesn’t need to reveal anyone’s keys. All they require are two signatures, and they appear to be obtained through what Drift describes as “unauthorized or misrepresented transaction approval,” meaning the signers may have thought they were approving a regular transaction.
This is the timeline drift posted in Thursday’s X post.
On March 23, four persistent nonce accounts were created. Two of them had ties to legitimate members of the Drift Safety Committee. Two of them were controlled by the attackers. This means that the attacker has obtained valid signatures from two of the five council members, locked in a persistent nonce transaction that will not expire.
On March 27, Drift executed a planned Council relocation to replace a Council member. Attackers adapted. By March 30, a new persistent nonce account appeared, tied to membership in the updated multisig, indicating that the attackers had regained the required two-fifths approval threshold under the new configuration.
On April 1, the attackers were executed.
First, Drift made a legal test withdrawal from its insurance fund. About a minute later, the attacker submitted a pre-signed persistent nonce transaction. Two transactions four slots apart on the Solana blockchain are enough to create and approve a malicious administrative transfer, and then approve and execute it.
Within minutes, the attacker had full protocol-level control over Drift. They exploited this control to introduce fraudulent withdrawal mechanisms and drain the coffers.
What was taken and where it went
On-chain researchers track the flow of funds in real time. A breakdown of stolen assets compiled by security researcher Vladimir S. shows that the total value of dozens of tokens is approximately $270 million.
The largest single category is JPL tokens at $155.6 million, followed by USDC at $60.4 million, CBBTC (Coinbase wrapped Bitcoin) at $11.3 million, USDT at $5.65 million, wrapped Ethereum at $4.7 million, DSOL at $4.5 million, WBTC at $4.4 million, 410 Thousands of dollars in FARTCOIN, and smaller amounts in JUP, JITOSOL, MSOL, BSOL, EURC, and others.
The main Drainer wallet was funded through the NEAR protocol intent eight days before the attack, but remained inactive until execution day. The stolen funds were transferred to an intermediary wallet funded the previous day through Backpack, a decentralized cryptocurrency exchange that requires authentication, which may provide clues to investigators.
From there, funds are transferred to an Ethereum address via a cross-chain bridge wormhole. These Ethereum addresses are pre-funded using Tornado Cash, an approved privacy mixer.
Well-known on-chain investigator ZachXBT noted that more than $230 million in USDC was transferred from Solana to Ethereum via Circle’s CCTP (Cross-Chain Transfer Protocol), involving more than 100 transactions.
He criticized Circle, the centralized issuer of USDC, for not freezing the stolen funds within six hours of the attack starting around noon Eastern time.
The attack is also reminiscent of recent social engineering attempts, using similar tactics to previous ones, according to a social media post by a user named “Temmy.” “We’ve seen this before. We’ve seen it many times,” the user said.
“bybit. $1.4 billion. Attackers compromised signing infrastructure and tricked signers into authorizing malicious transactions. Same concept. Social engineering. Not code. Ronin Bridge. $625 million. Compromised validator keys. Same story. Cetus protocol. $223 million. Different methods, but same results. Hundreds of millions of people disappeared,” the post said.
what is not damaged
What fails is the artificial layer around multisig. Persistent nonces allow an attacker to separate the moment of approval and the moment of execution by more than a week, creating a gap where the context of the signed document no longer matches the context of its usage.
All deposits, treasury deposits and trading funds held in Drift lending products will be affected. DSOL tokens not deposited into Drift (including assets pledged to Drift validators) will not be affected. Insurance fund asset withdrawal protection. The protocol has been frozen and compromised wallets have been removed from multisig.
Therefore, this is the third major vulnerability in recent months that does not involve a code vulnerability. Social engineering and operational security failures, rather than smart contract flaws, are increasingly the reason funds leave DeFi protocols.
Persistent nonce vectors are particularly dangerous because they exploit a feature that exists for good reason and is difficult to defend against without fundamentally changing the way multi-signature approvals work on Solana.
Drift’s upcoming detailed postmortem will answer the open question of how two independent multisig members could approve a transaction they didn’t understand, and whether any tooling or interface changes might flag persistent nonce transactions as requiring additional review.
Read more: North Korean hackers may be behind $286M Drift protocol breach