A sophisticated attacker exploited Solana's durable nonce feature to hijack governance controls at Drift Protocol, draining $285 million in assets in under 12 minutes before bridging funds to Ethereum.
A 12-Minute Heist
Drift Protocol, one of the largest decentralised exchanges on the Solana blockchain, lost approximately $285 million in digital assets on April 1 in what ranks among the biggest DeFi exploits in cryptocurrency history. The attack, which unfolded in roughly 12 minutes, drained USDC, SOL, JLP, wrapped Bitcoin, and Tether from the protocol's vaults before the team could intervene.
The exploit is the second-largest in Solana's history, behind only the $326 million Wormhole bridge hack in February 2022. It places Drift alongside Ronin Network, Poly Network, and BNB Bridge in the upper tier of DeFi security failures, and has reignited debate about governance design in decentralised protocols.
CoinDesk first reported that Drift had asked users to halt deposits after detecting suspicious activity. Within hours, blockchain analytics firms had mapped the full scope of the attack.
How the Attack Worked
The attacker used a novel technique involving Solana's durable nonces, a legitimate transaction feature designed to allow transactions to be pre-signed and executed later. By pre-signing administrative transfers weeks before the attack, the attacker was able to bypass Drift's multisig security controls and seize administrative powers from the protocol's Security Council.
Once in control, the attacker raised withdrawal limits to an absurd $500 trillion, deposited 7.85 million units of a fabricated token called CVT as supposed collateral, and then systematically borrowed real assets against it. The fake collateral allowed the attacker to drain blue-chip assets including USDC, JLP, cbBTC, and USDT from Drift's lending vaults.
After emptying the vaults, the funds were moved cross-chain to Ethereum using bridging infrastructure. Blockchain analytics firms TRM Labs and Elliptic have identified approximately 129,000 ETH now sitting in addresses linked to the attack.
Attribution and Response
Both TRM Labs and Elliptic have pointed to North Korea as the likely perpetrator, consistent with a pattern of state-sponsored attacks on DeFi protocols that has accelerated since the Lazarus Group's involvement in the Ronin Network exploit in 2022.
Drift's team initiated an on-chain outreach to the attacker's Ethereum addresses, a common first step in post-exploit negotiations. The protocol has also engaged with law enforcement and is working with centralised exchanges to flag and freeze any funds that surface on regulated platforms.
The incident has drawn attention to the governance architecture of DeFi protocols more broadly. Drift's Security Council, which was designed to provide emergency administrative control, became the vector through which the attack succeeded.
Implications for DeFi Security
The exploit highlights a persistent tension in DeFi protocol design: the administrative controls needed to respond to emergencies can themselves become attack surfaces. Durable nonces, while a useful Solana feature for legitimate use cases, were repurposed here to stage a governance takeover without triggering real-time alerts.
The attack also raises questions about the adequacy of multisig security for high-value protocols. If pre-signed transactions can bypass time-locked governance mechanisms, the industry may need to adopt more sophisticated approaches to administrative key management, including hardware-enforced delays and multi-party computation.
For Solana's DeFi ecosystem, which had been recovering from a difficult 2025 marked by meme coin speculation and declining total value locked, the Drift exploit represents a significant setback. The network's total DeFi TVL has dropped by approximately 8 percent since the attack, according to DefiLlama.
