Drift

April 1, 2026·Solana·Key Compromise

$285.0M

total loss

StatusConfirmed

A team posing as a quant trading firm spent six months getting close to Drift's developers, then tricked two of the protocol's signers into blindly approving transactions that handed over admin control. With control of the protocol, the attacker invented a fake collateral token, deposited it, and withdrew $285 million from three vaults in twelve minutes. Funds were swapped to USDC, bridged to Ethereum, and laundered through addresses pre-funded via Tornado Cash. The attack has been attributed to UNC4736, a North Korean state-sponsored group.

User vault depositsdrained($285M drained from 3 vaults)

Trading positionsdrained

DRIFT token pricedrained(down 40% on disclosure)

Recovery fund establishedpartially affected($147.5M from Tether + partners)

What the score saw

Our pre-hack assessment flagged Drift's centralized admin authority and weak development practices as its biggest exposures. Both became the attack surface: compromised signing keys gave the attacker total protocol control.

Exploit anatomy

The attackers compromised two of Drift's signers, extracted blind pre-signatures over six months, then submitted anadmin transfer proposalandadmin transfer executionone second apart, taking over protocol control before draining three vaults and bridging out to Ethereum viathe attacker's address.

Fund flow

Source

JLP Delta Neutral vault

$159.3M

SOL Super Staking vault

BTC Super Staking vault

Takeover

Admin transfer target

attacker-controlled address

H7PiGqqUaa...uy7ZgL

Swap & bridge

Solana DEX aggregator

all assets swapped to USDC

Wormhole bridge

USDC moved to Ethereum

Laundering

Primary launderer

8ubo4HbWJH...Z9rGxw

Secondary launderer

7igSaKEZKd...b1Fgne

Tornado Cash

destination addresses pre-funded

Full forensic detail

Step-by-step reconstruction, root cause, counterfactuals, remediation, and disclosure timeline.

Exploit anatomy

Attackers posed as a quantitative trading firm starting fall 2025. Built trust with Drift contributors across multiple conferences and in-person meetings over six months. Deposited $1M+ in genuine trades to establish credibility.

One contributor was compromised via a malicious code repository exploiting a VS Code/Cursor vulnerability (active Dec 2025 to Feb 2026). A second contributor was compromised via a malicious TestFlight wallet application.

March 10-11: attacker withdrew 10 ETH from Tornado Cash to fund infrastructure. March 12: created CarbonVote Token (CVT) with 750M supply, seeded a Raydium liquidity pool with ~$500 real liquidity, and wash-traded to anchor the price near $1.

March 23-30: created multiple durable nonce accounts on Solana. These allow pre-signed transactions to persist indefinitely without expiring.

March 26-27: Drift migrated the Security Council to a new 2/5 threshold multisig with zero timelock. This eliminated the detection and intervention window.

Attackers socially engineered Security Council members into pre-signing durable nonce transactions. The transactions appeared routine but contained hidden admin transfer instructions. Only 2 of 5 signatures were needed.

Admin transfer proposal submitted at 16:05:18 UTC on April 1. Transferred admin control to an attacker-controlled address.

Drift Prot...col v2admin_transfer_proposaltx:2HvMSgDEfK...pc2C4H

Admin transfer executed one second later at 16:05:19 UTC. Attacker now held full protocol control.

Drift Prot...col v2admin_transfer_executetx:4BKBmAJn6T...B9RsN1

Whitelisted CVT as accepted collateral with infinite borrowing limits. Deposited 500M CVT (artificially valued near $1/unit) as collateral.

Drift Prot...col v2update_spot_market / add_collateral

10.

Executed 31 withdrawal transactions over 12 minutes (16:05-16:17 UTC). Drained the JLP Delta Neutral vault, SOL Super Staking vault, and BTC Super Staking vault.

Drift Prot...Vaultswithdraw

11.

Swapped all stolen tokens to USDC via a Solana DEX aggregator. Assets included USDC ($71.4M), JLP ($159.3M), cbBTC ($11.3M), USDT ($5.6M), USDS ($5.3M), WETH ($4.7M), dSOL ($4.5M), WBTC ($4.4M), FARTCOIN ($4.1M), JitoSOL ($3.6M), and 8+ additional token types.

12.

About 23 minutes after admin takeover, began bridging USDC to Ethereum via Wormhole. Ethereum destination addresses had been pre-funded using Tornado Cash. Converted to ETH on the Ethereum side.

Wormhole Bridgebridge

Root cause

Compound failure across three layers. First, operational security: a six-month social engineering campaign compromised two Security Council members' devices. The attacker extracted blind pre-signatures on durable nonce transactions. Second, governance architecture: the March 26 migration to a 2/5 Security Council threshold with zero timelock removed the protocol's last automated safeguard. Only 2 compromised signers were needed. No delay existed to detect the attack. Third, collateral validation: once admin control was obtained, no circuit-breaker or independent check prevented an admin from whitelisting an arbitrary token with fabricated price data as collateral. Social engineering, weak multisig governance, and absent admin-action guardrails combined for total drainage. This wasn't a smart contract vulnerability. Drift's on-chain code functioned as designed. The failure was in operational security and governance parameter choices.

Prevention analysis

72-hour timelock on Security Council admin actions.

Would have created a detection window between the admin transfer proposal (16:05:18 UTC) and execution. Community monitors and automated alerts would have flagged the unauthorized transfer before it took effect.

Transaction simulation and human-readable signing (ERC-8213 / Solana equivalent).

Security Council members would have seen the actual effect of each transaction instead of raw hex data. The admin transfer payload would have been legible. Blind approval prevented.

Circuit breaker on withdrawal velocity (e.g., max 10% TVL per hour).

Would have capped drainage at about $50M before automated pause kicked in. The 31-transaction, 12-minute withdrawal pattern would have tripped it immediately.

Independent collateral validation oracle (not controlled by admin key).

The fabricated CVT token could not have been whitelisted without independent sign-off from a separate oracle committee or on-chain governance vote.

Air-gapped signing ceremony with multi-party computation.

Would have killed the social engineering vector outright. Signing ceremonies requiring physical co-presence with independent verification make blind signing attacks infeasible.

Similar incidents

Radiant Capital

Same threat actor (UNC4736/DPRK). Social engineering of multisig signers, device compromise, blind transaction signing. Radiant attack confirmed by Mandiant as same group.

Ronin Bridge (Axie Infinity)

DPRK-attributed (Lazarus Group). Social engineering via fake job offer to compromise validator keys on a 5/9 multisig. Same pattern: long-duration social engineering to obtain signing authority.

WazirX

DPRK-attributed. Multisig compromise through social engineering and blind signing. Similar governance failure pattern.

Remediation

1.Add a mandatory 48-72 hour timelock on all admin-level parameter changes. Covers collateral whitelisting, admin transfers, and Security Council configuration.

2.Deploy automated circuit breakers that pause withdrawals when velocity exceeds a configurable TVL percentage per time window.

3.Adopt human-readable transaction signing standards (Solana SIMD equivalent to ERC-8213). Eliminate blind signing across all multisig operations.

4.Require an independent governance vote for collateral additions. Minimum quorum and separate oracle validation, not admin-controlled.

5.Quarterly opsec training for all multisig signers. Cover social engineering awareness and device hygiene.

6.Full security re-audit of rebuilt codebase by OtterSec (code) and Asymmetric (opsec).

7.Key rotation and new multisig configuration for the relaunched protocol.

Timeline

2025-10-01Social engineering campaign begins at a major crypto conference. Attackers pose as a quantitative trading firm.

2025-12-01VS Code/Cursor vulnerability used to compromise a Drift contributor's device via a malicious repository.

2026-02-01Second contributor compromised via a malicious TestFlight wallet app.

2026-03-10Attacker withdraws 10 ETH from Tornado Cash to fund on-chain infrastructure.

2026-03-12CarbonVote Token (CVT) created with 750M supply. Raydium liquidity seeded. Wash trading initiated.

2026-03-23Durable nonce account creation begins on Solana.

2026-03-26Drift Security Council migrated to 2/5 threshold multisig with zero timelock.

2026-03-27Attackers obtain blind pre-signatures from compromised Security Council members.

2026-03-30Final durable nonce preparations completed.

2026-04-01Admin transfer proposal submitted.

2026-04-01Admin transfer executed. Attacker gains full protocol control.

2026-04-0131 withdrawal transactions begin across three vaults.

2026-04-01Vault drainage complete. $285M extracted in 12 minutes.

2026-04-01First stolen funds bridged to Ethereum via Wormhole. About 23 minutes after admin takeover.

2026-04-02Drift confirms the exploit and halts withdrawals.

2026-04-05Drift attributes the attack to UNC4736 (DPRK) based on fund flow links to the Radiant Capital exploit.

2026-04-15Class action lawsuit filed by Gibbs Mura law group.

2026-04-16Tether-led $147.5M recovery fund announced. Drift to transition to USDT settlement.

2026-05-05Drift publishes full recovery plan for affected users.

Sources

trmlabs.com chainalysis.com elliptic.co cyfrin.io coindesk.com coindesk.com coindesk.com

TRM Labs (attribution), Chainalysis (fund flow), Elliptic (forensics), Cyfrin/Patrick Collins (technical analysis), Mandiant (UNC4736 identification)

Continuous adversarial monitoring

Get your protocol scored across 12 dimensions, or request ongoing coverage.

Request Scoring View Plans