crifgithub
Security

Drift 2026 — a post-mortem

On April 1, 2026, a coordinated group linked to North Korean state actors drained $285 million from Drift Protocol's Squads multisig. They did not exploit a bug. They did not steal a key. This page reconstructs the attack from public reporting and explains, line by line, how this engine would have flagged the fatal transaction before either council member hit sign.

Topline

  • Loss:approximately $285 million, >50% of Drift's TVL.
  • Attacker: North Korea-linked group (TRM Labs attribution, consistent with Lazarus tactics).
  • Method: six-month social engineering buildup, then pre-signed config_transaction_execute wrapped in durable nonces.
  • Time from fire to drain: 12 minutes.
  • Time from drain to Ethereum: under one hour.
  • Second largest Solana exploit of all time, behind only the 2022 Wormhole bridge hack ($326M).

Timeline

Six months before — the buildup

The attacker group stood up a fake quantitative trading firm with a plausible brand, a website, public LinkedIn profiles, and a GitHub organization hosting clean-looking Rust and TypeScript code. They approached Drift contributors via Discord and Telegram with proposals framed as liquidity partnerships and market-making integrations. Over months they built up relationships that looked identical to the kind of business development conversations a growing DeFi protocol handles every week.

The goal of this phase was not to extract credentials or compromise a machine. The goal was to become someone whose upcoming transaction, once it appeared in the council's review channel, would read as routine business.

March 23, 2026 — the pre-signing

The attacker presented a transaction framed as a "routine upgrade": a Squads config_transaction_executethat would, in the attacker's framing, apply an already-queued config change. Two council members signed it. The signatures were attached to transactions using a durable nonce — a Solana feature that replaces the usual expiring recent-blockhash with a fixed on-chain nonce account, making the signed transaction valid indefinitely.

In parallel, the attacker created four durable-nonce accounts on chain. Two of them were wired to the signatures the council members had just provided. Two of them were controlled entirely by the attacker and used for follow-up transactions once admin control was seized.

April 1, 2026 — the fire

Approximately 12:00 UTC, the attacker submitted the pre-signed durable-nonce transactions. Because durable-nonce transactions have no blockhash expiry, the signatures collected on March 23 were still valid. Within 4 slots of each other, two transactions landed:

  1. The first invoked config_transaction_execute on the Squads multisig, applying a config change that transferred the Drift Protocol admin authority.
  2. The second invoked the admin transfer itself, moving the program authority fully under the attacker's control.

+ 1 minute — the drain

With admin authority in hand, the attacker executed a sequence that had been prepared in advance:

  1. Whitelisted a worthless, artificially-priced fake token (CVT) as valid Drift collateral.
  2. Deposited 500 million CVT into a Drift user account.
  3. Used the CVT collateral to withdraw roughly $285 million in real USDC, SOL, and ETH.

+ 12 minutes — Ethereum

The bulk of the stolen value was bridged to Ethereum within the first hour. Approximately 232 million USDC made it through the bridge before Circle's compliance process could freeze anything. ZachXBT publicly criticized Circle's handling of the freeze window.

The technical root cause

The exploit combined three normally-safe mechanisms in a sequence that no single mechanism was designed to prevent.

1. Durable nonces

Durable nonces exist for a legitimate reason: hardware wallets, offline signing setups, and institutional custody flows all need the ability to prepare and approve transactions without being forced to submit them within Solana's ~90 second blockhash window. The trade-off is that a signature attached to a durable-nonce transaction is valid indefinitely, until someone either submits the transaction or manually advances the nonce account.

There is no user-facing revoke-my-signature operation. Once the signatures exist, the only way to invalidate them is to advance the nonce account out-of-band — an operation that the average signer does not monitor or even know about.

2. Squads governance opacity

Squads multisigs queue administrative actions as separate transaction accounts; a council member signing a config_transaction_execute action is approving the execution of whatever is currently stored in that transaction account. The signing flow typically does not decode the inner instructions for the signer — it shows them a reference and a hash. At Drift's configuration (a 2-of-5 threshold with zero timelock), two approvals were enough to trigger execution with no grace period.

3. Social engineering as the lever

None of the above is unusual on its own. What closed the loop was six months of relationship-building that made the pre-signing request look like an ordinary business operation. The signers had no reason to assume malice, and they had no tool that would have shown them otherwise.

How the engine catches it

Given the same transaction the attacker used on April 1, crif applies the following chain of reasoning, fully offline:

  1. The decoder sees the first instruction has program_id == System and the 4-byte tag 0x04. It matches that as AdvanceNonceAccount and flags the transaction as using a durable nonce.
  2. The decoder sees the second instruction has program_id == SQDS4ep65T869... and an 8-byte Anchor discriminator. It computes sha256("global:config_transaction_execute")[0..8] and matches. The decoder returns a DecodedInstruction with risk = Critical and the reason line "This is the class of instruction used in the April 2026 Drift exploit."
  3. The classifier starts at LOW, takes the max per-instruction risk (CRITICAL from the Squads execute), then sees uses_durable_nonce == true.
  4. The classifier checks the Drift pattern rule: uses_durable_nonce AND any instruction name in the set {config_transaction_execute, multisig_set_config, vault_transaction_execute}. Both conditions are true.
  5. The classifier forces the verdict to Critical and prepends the multi-line Drift 2026 callout to the human summary.
  6. The CLI prints the verdict in red. The signing UI, if wired up to the engine, surfaces the full pattern explanation before the user confirms.

Reproducing the result

The repo ships an example that synthesizes a transaction with the exact shape of the Drift exploit and prints both the base64 serialization and the offline legibility report:

drift attack reproduction
$ cargo run --example drift_attack

signer (council member): 4kfEfEk7HrCLpdqo3vtrMYYF9ehzCAm7i4wZeK5f6syi
multisig PDA (fake):     1111111QLbz7JHiBTspS962RLKV8GndWFwiEaqKM
instructions: AdvanceNonceAccount, Squads.config_transaction_execute

BASE64: AbViYw9Axfz+LuKZ9pxLcFzfCRS8rasl633GI...

overall_risk       = Critical
uses_durable_nonce = true

You can also feed the emitted base64 straight through the CLI to confirm the pipeline end-to-end:

cli roundtrip
$ sle simulate --offline --tx "$BASE64"
...
 Overall risk: CRITICAL
 ! DURABLE NONCE: yes - this transaction has no expiry
 [X] CRITICAL — this transaction matches the APRIL 2026
     DRIFT EXPLOIT PATTERN: ...

Sources

  • CoinDesk — "How a Solana feature designed for convenience let an attacker drain $270 million from Drift" (April 2, 2026)
  • BlockSec — "Drift Protocol Incident: Multisig Governance Compromise via Durable Nonce Exploitation"
  • Cyfrin — "Drift Protocol's $285M Hack: Why Transaction Legibility Is the Fix"
  • Chainalysis — "Drift Protocol Hack: How Privileged Access Led to a $285M Loss"
  • TRM Labs — "North Korean Hackers Attack Drift Protocol in $285 Million Heist"
  • The Block — "Drift says $280M exploit tied to 'sophisticated' admin takeover; ZachXBT criticizes Circle over USDC handling"