Drift Protocol, a Solana-based perpetuals trading platform, is dealing with the fallout of a major exploit that has drained approximately $280 million from its ecosystem.
Onchain data confirms that the breach was not a routine hack, but a carefully coordinated operation that unfolded over several weeks before execution.
Earlier today, a malicious actor gained unauthorized access to Drift Protocol through a novel attack involving durable nonces, resulting in a rapid takeover of Drift’s Security Council administrative powers.
This was a highly sophisticated operation that appears to have involved…
— Drift (@DriftProtocol) April 2, 2026
What makes this case stand out is how the attacker didn’t break the protocol in the traditional sense. Instead, they appear to have gained control from within, targeting governance mechanisms rather than smart contract vulnerabilities.
Contents
How The Attack Quietly Took Shape
According to Drift’s investigation so far, the exploit was made possible through a mix of durable nonce accounts and compromised transaction approvals. Durable nonces are a feature on Solana that allow transactions to be signed in advance and executed later.
In this case, the attacker allegedly used that feature to their advantage. By pre-signing transactions and delaying their execution, they were able to stage the attack without triggering immediate suspicion.
Drift says there’s no evidence of a bug in its smart contracts, and no indication that seed phrases were compromised. Instead, the issue appears to come down to how approvals were obtained. The team believes some transaction approvals may have been misrepresented or secured through targeted social engineering.
It’s a different kind of attack, one that focuses less on code and more on people and process.
Durable Nonces And Multisig Weaknesses Exploited
At the center of the breach is Drift’s Security Council multisig, which requires multiple approvals to authorize key actions. The attacker managed to secure enough approvals, two out of five, to push through critical changes.
Using durable nonce accounts, they pre-positioned access well in advance. This allowed them to act quickly when the time came. Within minutes, they executed a malicious admin transfer, effectively taking control of protocol-level permissions.
Once in control, the attacker introduced a malicious asset and removed withdrawal limits that were meant to protect user funds. That opened the door to rapid and large-scale withdrawals.
The speed of execution stands out. What took weeks to prepare was completed in minutes.
A Timeline That Points To Careful Planning
Drift has shared a detailed timeline that shows how the attack unfolded step by step.
On March 23, four durable nonce accounts were created, two linked to multisig members and two controlled by the attacker. This suggests that at least two signers had already approved transactions tied to these accounts.
By March 27, the protocol carried out a planned migration of its Security Council due to a member change. While unrelated on the surface, this shift may have created an opportunity for the attacker to re-establish access.
On March 30, another durable nonce account was set up, this time tied to the updated multisig. Again, it appears the attacker managed to secure the necessary approvals.
Then, on April 1, everything moved quickly. A legitimate test transaction was executed by the team, likely as part of routine operations. About a minute later, the attacker triggered two pre-signed transactions, completing the takeover.
The sequence suggests a high level of patience and coordination. Nothing about the attack looks rushed.
Funds Drained As Protections Are Bypassed
Once control was secured, the attacker moved fast. With admin-level access, they were able to bypass existing safeguards and begin withdrawing funds.
Drift confirms that deposits across several areas were affected, including borrow and lend positions, vault deposits, and funds used for trading. In short, a large portion of user funds within the protocol was exposed.
However, not everything was impacted. Assets like DSOL that were not deposited into Drift remain safe, including tokens staked to the Drift validator. The protocol’s insurance fund is also being withdrawn and secured as a precaution.
Still, the scale of the losses, roughly $280 million, places this incident among the more significant exploits seen in the Solana ecosystem.
Response Efforts And What Comes Next
In response to the breach, Drift has frozen remaining protocol functions to prevent further damage. The compromised wallet has been removed from the multisig, and additional steps are being taken to secure what’s left.
The team says it is working with security firms, exchanges, bridges, and law enforcement to trace and potentially freeze the stolen assets. Efforts are also underway to better understand how the approvals were obtained and whether additional vulnerabilities exist in governance processes.
A full postmortem is expected in the coming days, which should provide more clarity on what went wrong and how similar incidents can be prevented.
For now, the exploit serves as a reminder that risks in DeFi don’t always come from broken code. Sometimes, they come from the systems and people surrounding it.
Disclosure: This is not trading or investment advice. Always do your research before buying any cryptocurrency or investing in any services.
Follow us on Twitter @nulltxnews to stay updated with the latest Crypto, NFT, AI, Cybersecurity, Distributed Computing, and Metaverse news!
