coin-img-ETHETH+0.66%coin-img-BTCBTC+0.53%coin-img-SOLSOL+0.66%coin-img-XAUTXAUT+0.98%coin-img-PAXGPAXG+0.92%coin-img-BASEDBASED+8.99%coin-img-CDDCDD-54.01%coin-img-XRPXRP+0.05%coin-img-ETHETH+0.66%coin-img-BTCBTC+0.53%coin-img-SOLSOL+0.66%coin-img-XAUTXAUT+0.98%coin-img-PAXGPAXG+0.92%coin-img-BASEDBASED+8.99%coin-img-CDDCDD-54.01%coin-img-XRPXRP+0.05%coin-img-ETHETH+0.66%coin-img-BTCBTC+0.53%coin-img-SOLSOL+0.66%coin-img-XAUTXAUT+0.98%coin-img-PAXGPAXG+0.92%coin-img-BASEDBASED+8.99%coin-img-CDDCDD-54.01%coin-img-XRPXRP+0.05%coin-img-ETHETH+0.66%coin-img-BTCBTC+0.53%coin-img-SOLSOL+0.66%coin-img-XAUTXAUT+0.98%coin-img-PAXGPAXG+0.92%coin-img-BASEDBASED+8.99%coin-img-CDDCDD-54.01%coin-img-XRPXRP+0.05%

Drift Protocol Says $280M Hack Used Solana "Durable Nonce" to Execute Presigned Transactions

Drift Protocol said the $280 million exploit that hit its Solana-based DeFi exchange stemmed from a "durable nonce" attack that let the hacker carry out presigned transactions and seize administrative control associated with the Drift Security Council. The incident surfaced early April 1 after assets began moving from the DEX vault to a Solana address, starting with 41 million JLP tokens and then additional tokens. Drift initially paused deposits and withdrawals and later described the event as a complex, sophisticated operation. The breach is being criticized as the largest crypto hack of 2026. In its account of events, Drift said the attacker used Solana durable nonce accounts to presign approvals and delay execution, describing the method as a "novel" approach. Durable nonces allow Solana transactions to remain valid beyond typical expiry windows, enabling offline signing and later submission of presigned transactions. Drift's preliminary report said the exploit did not involve a smart-contract bug or compromised seed phrases. Instead, the attacker allegedly obtained unauthorized or misrepresented approvals through a mix of durable nonces and social engineering. Those approvals were then used to execute the theft and impacted multiple projects across the Solana ecosystem. Piggybank_fi, Ranger Finance, TradeNeutral, Elemental DeFi, Reflect Money and other protocols reported limited exposure or paused deposits. The incident also weighed on markets: SOL fell about 5%, touching $78 intraday, extending a 37% year-to-date decline. The DRIFT token dropped 25%. Drift said the operation appeared to involve multi-week preparation. The attacker reportedly gained access to the Drift multisig as early as March 23, when the initial nonce was set. Of four nonce accounts created at the time, the attacker controlled two, while Drift Security Council members controlled the other two. The protocol said this gave the threat actor control over 2/5 of the multisig signers, which was used to sign transactions linked to durable nonce accounts and enable delayed execution. The attacker maintained that position through a March 27 multisig migration tied to changes in council membership. Ahead of the main exploit, the attacker conducted a test withdrawal from the insurance fund and later carried out an admin takeover using presigned durable nonce transactions. Drift said the hack was enabled by presigned durable nonce transactions and the compromise of multiple multisig signers' approvals, likely via targeted social engineering or transaction misrepresentation. The protocol said it is working with security firms, law enforcement and other stakeholders to trace and freeze stolen assets. Users have criticized Drift's governance setup, arguing that requiring only 2/5 approvals to authorize transactions created unnecessary risk.
Selected
SOL
SOL+0.69%
DRIFT
DRIFT+4.74%
Disclaimer: The content above is only the author's opinion and does not represent BingX’s stance. It shall not be construed as investment advice from BingX. For details, refer to the Terms and Conditions.