Drift Protocol Drained of $270 Million Using Solana Durable Nonces - North Korea Suspected

Drift Protocol, one of Solana's largest perpetual futures and lending platforms, has been drained of approximately $270 million in what security researchers are calling one of the most sophisticated social engineering attacks in DeFi history. The exploit did not involve a single line of buggy code.

What Happened

The attack leveraged Solana's durable nonces - a legitimate feature designed to let hardware wallets and institutional custody solutions pre-sign transactions without the standard 90-second expiry window. The attacker used this feature to trick two of Drift's five Security Council multisig members into signing what appeared to be routine transactions, then held those pre-signed approvals for over a week before executing them.

On March 23, four durable nonce accounts were created - two tied to legitimate Drift council members and two controlled by the attacker. By March 30, the attacker had adapted to a planned Security Council migration and re-obtained the required two-of-five approval threshold. On April 1, the attacker submitted the pre-signed transactions in two operations just four slots apart on the Solana blockchain, gaining full control of Drift's protocol-level permissions in under a minute.

$270 Million Breakdown

Onchain researchers tracked the stolen assets in real time:

• $155.6 million in JLP tokens
• $60.4 million in USDC
• $11.3 million in CBBTC (Coinbase wrapped Bitcoin)
• $5.65 million in USDT
• $4.7 million in wrapped ETH
• $4.5 million in DSOL
• $4.4 million in WBTC
• $4.1 million in FARTCOIN
• Smaller amounts across JUP, JITOSOL, MSOL, BSOL, EURC, and others

North Korea Connection

Blockchain analytics firm Elliptic has identified cross-chain laundering patterns and Solana-specific tracing challenges that mirror prior North Korean state-linked operations. The attacker used a wallet funded via NEAR Protocol intents eight days before the attack and moved stolen funds to Ethereum through Wormhole, with pre-funded addresses laundered through Tornado Cash.

ZachXBT noted that over $230 million in USDC was bridged from Solana to Ethereum via Circle's CCTP across more than 100 transactions, criticizing Circle for not freezing the funds during a six-hour window after the attack began.

A Pattern of Social Engineering

This marks the third major DeFi exploit in recent months that did not involve a code vulnerability. The pattern mirrors the Bybit hack ($1.4 billion), the Ronin bridge exploit ($625 million), and the Cetus Protocol breach ($223 million) - all cases where social engineering, not smart contract bugs, was the attack vector.

As one researcher noted: "We've seen this before. Same concept. Social engineering. Not code."

What Happens Now

Drift Protocol has been frozen, and the compromised wallet has been removed from the multisig. All deposits into Drift's borrow-and-lend products, vault deposits, and trading funds are affected. Insurance fund assets are being withdrawn and safeguarded. DSOL tokens not deposited in Drift, including assets staked to the Drift validator, remain unaffected.

The exploit has renewed urgent calls for DeFi protocols to rethink their reliance on multisig governance and implement additional safeguards around durable nonce usage, including time-locked execution windows and real-time nonce monitoring.

Related Guides

• Drift Reaches Out After $285M Exploit as North Korea

Frequently Asked Questions