Drift Protocol lose $270M as Solana durable nonce make pre-signed multi-sig withdrawals waka
Drift Protocol sufia loss of $270M after attackers use Solana durable nonce to run pre-signed multisig withdrawals weeks after approvals. Dis breach no be normal code bug or private-key theft but governance workflow failure: five-member security council need 2-of-5 approvals, yet attackers gather misleading signatures using durable nonce accounts.
Attackers set up durable nonce accounts end of March and adapt after council migration on March 27. One normal-looking test withdrawal from Drift’s insurance fund make ready transactions wey don already valid to broadcast immediately. Funds commot in two transactions and dem pass am through plenty wallets, including Backpack as identity-gated intermediary.
Tracing show biggest loss na JPL ($155.6M), followed by USDC ($60.4M), CBBTC ($11.3M), and USDT ($5.65M), plus other assets. Analysts talk say $230M+ USDC move go Ethereum via Circle’s CCTP. Circle also dey criticized for no freeze stolen funds inside first six hours.
For traders, this incident raise short-term risk around Solana DeFi governance and multisig operations, and fit press sentiment against protocols wey get complex multisig + durable nonce security. Any follow-on freezes, recovery moves, or further disclosures fit cause short-term volatility, especially for affected tokens.
Bearish
Di exploit fokis na core Solana DeFi security primitive (durable nonce) and e show say even 2-of-5 multisig fit commot through operational/social-engineering timing gaps. For short term, dis one go raise perceived smart-contract and governance risk for Drift-adjacent liquidity and for multisig systems wey design resemble, wey fit reduce people risk appetite and cause sell pressure on affected assets (specially JPL and USDC-linked exposure). For long term, traders fit factor higher security and compliance costs into price, make dem keep conservative positions until audits and governance redesigns show clearer guarantees. Potential freeze/recovery actions (and any exchange/bridge responses) fit cause sharp intraday moves, but initial impact likely negative for tokens wey tie to the incident.