The assault on Drift Protocol was not a hack within the conventional sense.
No one discovered a bug or cracked a personal key. There wasn’t a flash mortgage exploit or manipulated oracle both.
As an alternative, an attacker used a respectable Solana characteristic, ‘sturdy nonces,’ to trick Drift’s safety council into pre-approving transactions that might be executed weeks later, at a time and in a context the signers by no means meant.
The outcome was a drain of no less than $270 million that took lower than a minute to execute however greater than every week to arrange.
What sturdy nonces are and why they exist
On Solana, each transaction features a ‘current blockhash,’ primarily a timestamp that proves the transaction was created lately. That blockhash expires after about 60 to 90 seconds. If the transaction will not be submitted to the community inside that window, it turns into invalid. It is a security characteristic and helps stop previous, stale transactions from being replayed later.
Sturdy nonces override that security characteristic. They exchange the expiring blockhash with a set ‘nonce,’ a one-time code saved in a particular onchain account, that retains the transaction legitimate indefinitely till somebody chooses to submit it.
The characteristic exists for respectable causes. {Hardware} wallets, offline signing setups, and institutional custody options all want the flexibility to organize and approve transactions with out being compelled to submit them inside 90 seconds.
However indefinitely legitimate transactions create an issue. If one can get somebody to signal a transaction at present, it may be executed subsequent week or subsequent month, per the system’s hardcoded guidelines. The signer has no solution to revoke their approval as soon as it’s given, except the nonce account is manually superior, which most customers don’t monitor.
How the attacker used them
Drift’s protocol was ruled by a ‘Safety Council multisig,’ a system through which a number of folks (on this case, 5) share management, and any motion requires no less than two of them to approve. Multisigs are a regular safety observe in DeFi, the place the thought is that compromising a single individual will not be sufficient to steal funds.
However the attacker didn’t must compromise anybody’s keys. All they wanted had been two signatures, they usually seem to have obtained them via what Drift describes as “unauthorized or misrepresented transaction approvals,” which means the signers probably thought they had been approving a routine transaction.
Right here is the timeline Drift printed in a Thursday X submit.
On March 23, 4 sturdy nonce accounts had been created. Two had been related to respectable Drift Safety Council members. Two had been managed by the attacker. This implies the attacker had already obtained legitimate signatures from two of the 5 council members, locked into sturdy nonce transactions that might not expire.
On March 27, Drift executed a deliberate Safety Council migration to swap out a council member. The attacker tailored. By March 30, a brand new sturdy nonce account appeared, tied to a member of the up to date multisig, indicating the attacker had re-obtained the required two-of-five approval threshold beneath the brand new configuration.
On April 1, the attacker executed.
First, Drift ran a respectable take a look at withdrawal from its insurance coverage fund. Roughly one minute later, the attacker submitted the pre-signed sturdy nonce transactions. Two transactions, 4 slots aside on the Solana blockchain, had been sufficient to create and approve a malicious admin switch, then approve and execute it.
Inside minutes, the attacker had full management of Drift’s protocol-level permissions. They used that management to introduce a fraudulent withdrawal mechanism and drain the vaults.
What was taken and the place it went
Onchain researchers tracked the fund flows in actual time. The breakdown of stolen property, compiled by safety researcher Vladimir S., totaled roughly $270 million throughout dozens of tokens.
The biggest single class was $155.6 million in JPL tokens, adopted by $60.4 million in USDC, $11.3 million in CBBTC (Coinbase wrapped bitcoin), $5.65 million in USDT, $4.7 million in wrapped ether, $4.5 million in DSOL, $4.4 million in WBTC, $4.1 million in FARTCOIN, and smaller quantities throughout JUP, JITOSOL, MSOL, BSOL, EURC, and others.
The first drainer pockets was funded eight days earlier than the assault through NEAR Protocol intents however remained inactive till execution day. Stolen funds had been transferred to middleman wallets that had been funded simply the day earlier than through Backpack, a decentralized crypto alternate that requires identification verification, probably giving investigators a lead.
From there, funds moved to Ethereum addresses through Wormhole, a cross-chain bridge. These Ethereum addresses had been pre-funded utilizing Twister Money, the sanctioned privateness mixer.
ZachXBT, a distinguished onchain investigator, famous that over $230 million in USDC was bridged from Solana to Ethereum through Circle’s CCTP (Cross-Chain Switch Protocol) throughout greater than 100 transactions.
He criticized Circle, the centralized issuer of USDC, for not freezing the stolen funds throughout a six-hour window after the assault started round midday Japanese time.
The assault was additionally harking back to current social engineering makes an attempt, utilizing ways just like these seen earlier than, based on a social media submit by a consumer who goes by ‘Temmy.’ “we have seen this earlier than. we have seen this so many occasions,” the consumer stated.
“bybit. $1.4 billion. the attacker compromised the signing infrastructure and tricked signers into authorizing malicious transactions. similar idea. social engineering. not code. ronin bridge. $625 million. compromised validator keys. similar story. cetus protocol. $223 million. totally different technique however similar outcome. a whole lot of thousands and thousands gone.” the submit stated.
What was not compromised
What failed was the human layer across the multisig. Sturdy nonces allowed the attacker to separate the second of approval from the second of execution by greater than every week, creating a niche through which the context of the signed doc not matched the context through which it was used.
All deposits into Drift’s borrow-and-lend merchandise, vault deposits, and buying and selling funds are affected. DSOL tokens not deposited in Drift, together with property staked to the Drift validator, are unaffected. Insurance coverage fund property are being withdrawn and safeguarded. The protocol has been frozen, and the compromised pockets has been faraway from the multisig.
As such, that is the third main exploit in current months that didn’t contain a code vulnerability. Social engineering and operational safety failures, moderately than good contract bugs, are more and more how cash leaves DeFi protocols.
The sturdy nonce vector is especially harmful as a result of it exploits a characteristic that exists for good cause and is tough to defend in opposition to with out essentially altering how multisig approvals work on Solana.
The open query, which Drift’s forthcoming detailed postmortem might want to reply, is how two separate multisig members accepted transactions they didn’t perceive, and whether or not any tooling or interface modifications might have flagged sturdy nonce transactions as requiring further scrutiny.
Learn extra: North Koreans hackers probably behind $286 million Drift Protocol exploit