Solana Feature Exploited to Drain $270M from Drift
Exploiters used Solana’s durable nonces to trick Drift’s security council into pre-approving malicious transactions, gaining control and draining over $270 million in tokens. The attack exploited legitimate on-chain functionality, not code bugs, highlighting a design risk.
Quick Take
Attacker used Solana durable nonces to keep transactions valid indefinitely.
Two Drift council members signed misrepresented transactions, losing control.
On April 1, attacker executed transfers, draining $270M in under a minute.
Largest losses: $155.6M in JPL, $60.4M in USDC, plus CBBTC, USDT, etc.
Market Impact Analysis
BearishUncertainty and loss of confidence in Solana DeFi security may cause sell-offs in SOL, DRIFT, and associated tokens.
Speculation Analysis
Key Takeaways
- An attacker exploited Solana’s durable nonce feature to secure pre-approved transaction signatures from Drift’s security council without alerting signers.
- Over $270 million was drained—including $155.6M in JPL and $60.4M in USDC—in under 60 seconds after a nine-day setup.
- The exploit didn’t rely on code bugs or key theft; it weaponized a legitimate on-chain tool designed for offline signing.
- This attack underscores the hidden dangers of indefinitely valid transactions in multisig governance.
What Happened
On April 1, Drift Protocol saw over $270 million vanish from its vaults. The attacker didn’t crack a private key or find a smart contract bug. Instead, they manipulated Solana’s durable nonce system—a feature meant to aid offline signing—to trick Drift’s security council into pre-approving malicious transactions weeks earlier. Starting March 23, the attacker created durable nonce accounts, some linked to council members. By misrepresenting routine transactions, they obtained signatures from two of the five council members. Those signatures, locked to nonces, remained valid indefinitely. On March 27, Drift rotated a council member, but the attacker adapted, securing fresh approvals by March 30. On April 1, they submitted the pre-signed transactions, instantly gaining full protocol control and draining the funds.
The Numbers
The total haul reached $270 million, making it one of DeFi’s largest exploits. The biggest chunk was $155.6 million in the protocol’s native JPL token. Stablecoins accounted for $60.4 million in USDC, along with smaller amounts of CBBTC and USDT. The execution took less than a minute, but the groundwork spanned nine days. The attack bypassed the usual 60–90 second transaction expiry by exploiting durable nonces, which keep transactions valid forever unless the nonce account is advanced—something no one monitored.
Why It Happened
Solana’s durable nonce mechanism replaces the standard expiring blockhash with a permanent code. While designed for legitimate use cases like hardware wallets, it creates a risky loophole: once a transaction is signed with a nonce, it can be executed at any future time. Signers cannot revoke approval. The attacker weaponized this by deceiving two council members into signing what they thought were benign actions. Combined with Drift’s multisig requiring only two approvals, the attacker achieved control. The incident highlights a design flaw in multisig governance when pre-signed transactions are not audited for future state changes.
Broader Impact
The Drift exploit may shake confidence in Solana’s DeFi ecosystem. It exposes how legitimate blockchain features can be exploited without technical vulnerabilities. Projects using multisig with durable nonces must reassess their security. Expect calls for better detection tools and revocable approval mechanisms. SOL and DRIFT token prices could face short-term selling pressure as investors digest the breach.
What to Watch Next
- Drift’s recovery plan: Will the team compensate users? The market will react to any reimbursement proposal or governance vote.
- Solana protocol updates: Developers may propose changes to durable nonce handling, such as adding expiration or revocation capabilities.
- Regulatory scrutiny: High-profile exploits often attract attention from regulators, especially when user funds are lost.
This article is for informational purposes only and does not constitute financial advice.
Always late to trends?
Join for the latest news, insights & more.
Disclaimer: Bytewit is an independent media outlet that delivers news, research, and data.
© 2026 Bytewit. All Rights Reserved. This article is for informational purposes only.
