Drift Protocol Exploited for $280M, Onchain Messages Sent
Solana-based Drift Protocol suffered a $280M exploit, with attackers using pre-signed malicious transactions. Drift sent onchain messages to the exploiter's wallets, while an unknown party demanded 1,000 ETH. The attack affected over 20 protocols, with no recovery yet and potential North Korea links.
Quick Take
Drift protocol loses $280-286 million in highly sophisticated Solana exploit.
Attacker used durable nonces to pre-sign transactions, mirroring Bybit hack technique.
Drift sent onchain messages to four attacker wallets seeking communication.
Unknown sender demands 1,000 ETH from exploiter; over 20 protocols impacted.
Market Impact Analysis
BearishMajor exploit causing loss of trust and potential sell-off in SOL and affected tokens.
Speculation Analysis
Key Takeaways
- Drift Protocol lost up to $286 million in a sophisticated exploit leveraging Solana's durable nonces feature.
- The attacker pre-signed malicious transactions weeks in advance, mirroring the Bybit hack methodology.
- Drift sent onchain messages to four attacker wallets, while an unknown party separately demanded 1,000 ETH from the exploiter.
- At least 20 Solana protocols were impacted, with Gauntlet alone facing $6.4 million in losses.
- No funds have been recovered 48 hours after the attack, and North Korean involvement is suspected.
What Happened
Drift Protocol, a Solana-based DEX, was drained of up to $286 million in a premeditated attack. The team responded by publishing onchain messages to four Ethereum wallets associated with the exploiter, requesting communication via Blockscan chat. Simultaneously, an unidentified party using the ENS name readnow.eth sent a separate onchain message demanding 1,000 ETH, claiming to know the attacker's identity. The exploit has since cascaded across the Solana ecosystem, with over 20 protocols reporting related losses.
The Numbers
The exploit's scale is staggering: $280 million to $286 million vanished in a single operation. Gauntlet, a DeFi platform, absorbed a $6.4 million hit, while the unknown sender's 1,000 ETH demand adds extortion to the theft. Two days have passed without recovery, and the damage keeps mounting as security firm Cyvers warns the impact is still growing across Solana's lending and trading protocols.
Why It Happened
The attacker weaponized Solana's durable nonces, a feature that allows pre-signing transactions for later execution. By embedding malicious instructions days in advance, the exploiter tricked signers into unknowingly authorizing the drain. This closely mirrors the Bybit hack, where similar transaction-spoofing techniques were used. Cyvers described it as a weeks-long staged operation, and some analysts suspect North Korean involvement, though those links remain unverified.
Broader Impact
The incident exposes systemic risks in Solana's transaction architecture and raises red flags about durable nonce abuse. With 20 protocols collateral damage, contagion fears are spiking. This could accelerate calls for additional security layers and may trigger greater scrutiny from regulators and institutional participants eyeing DeFi exposure.
What to Watch Next
- Whether Drift's onchain outreach leads to partial fund recovery, echoing the Euler Finance hack resolution.
- Centralized exchange and stablecoin issuer blacklists if the attacker attempts to move funds.
- Solana Foundation's protocol-level response and potential mitigations for durable nonce vulnerabilities.
This article is for informational purposes only and does not constitute financial advice.
Always late to trends?
Join for the latest news, insights & more.
Disclaimer: Bytewit is an independent media outlet that delivers news, research, and data.
© 2026 Bytewit. All Rights Reserved. This article is for informational purposes only.
