Drift loses $280 million as hackers seize Security Council powers
Drift Protocol loses $280M after attacker gains Security Council admin control via multisig bypass.
Summary
The Drift Protocol, a DeFi trading platform on Solana, suffered a $280 million loss after a threat actor obtained 2/5 multisig approvals from Security Council members and used durable nonce accounts to pre-sign malicious transactions. The attacker executed their plan on April 1st by performing a legitimate transaction followed immediately by pre-signed malicious ones, transferring admin control and draining funds. No smart contract vulnerabilities or seed phrase compromises were involved; the attack exploited administrative process weaknesses.
Full text
Drift loses $280 million as hackers seize Security Council powers By Bill Toulas April 2, 2026 03:03 PM 0 The Drift Protocol lost at least $280 million after a threat actor took control of its Security Council administrative powers in a planned, sophisticated operation. The attacker leveraged durable nonce accounts and pre-signed transactions to delay execution and strike with accuracy at a chosen time, the platform explained. Drift underlines that the hacker did not exploit any flaws in its programs or smart contracts, and no seed phrases have been compromised. Drift Protocol is a DeFi trading platform built on the Solana blockchain that serves as a non-custodial exchange, giving users full control of their funds as they interact with on-chain markets. As of late 2024, the platform claimed to have 200,000 traders, supporting total trading volumes of more than $55 billion and a daily peak of $13 million. According to Drift's report, the heist was prepared between March 23 and 30, with the attacker setting up durable nonce accounts and obtaining 2/5 multisig approvals from Security Council members to meet the required threshold. This enabled them to pre-sign malicious transactions that weren’t executed immediately. On April 1st, the attacker performed a legitimate transaction and immediately executed the pre-signed malicious transactions, transferring admin control to themselves within minutes. Having gained admin control, they introduced a malicious asset, removed withdrawal limits, and eventually drained funds. Source: PeckShield Drift Protocol estimates the losses at about $280 million, while blockchain tracking account PeckShieldAlert has calculated them at $285 million. When unusual activity on the protocol was detected, Drift issued a public warning to users, stating that started an investigation and urging them not to deposit any funds until further notice. As a result of the attack, borrow/lend deposits, vault deposits, and trading funds have been affected, and all protocol functions are now essentially frozen. Drift said DSOL is unaffected, and insurance fund assets are secured. The platform is now working with security firms, cryptocurrency exchanges, and law enforcement authorities to trace and freeze the stolen funds. Drift promised to publish a detailed post-mortem report in the coming days. Automated Pentesting Covers Only 1 of 6 Surfaces. Automated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the other.This whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic questions for any tool evaluation. Get Your Copy Now Related Articles: Step Finance says compromised execs' devices led to $40M crypto theftHacker charged with stealing $53 million from Uranium crypto exchangeNew DarkSword iOS exploit used in infostealer attack on iPhonesBitrefill blames North Korean Lazarus group for cyberattackNordstrom's email system abused to send crypto scams to customers
Indicators of Compromise
- malware — Durable Nonce Account Exploit
- malware — Multisig Approval Bypass