Drift Protocol Reveals Nonce Attack Behind $280M Exploit
Solana-based Drift Protocol suffered a $285 million exploit involving a multi-sig compromise and the misuse of durable nonce transactions.
Quick Take
Summary is AI generated, newsroom reviewed.
Attackers siphoned $285 million after a social engineering breach of the multi-sig system.
Hackers used "durable nonces" to execute pre-signed transactions and bypass withdrawal limits.
All deposits and withdrawals remain suspended while security firms track the stolen assets.
No smart contract bugs were found, highlighting human-factor risks in protocol governance.
Drift Protocol has confirmed a major security breach that led to the loss of around $280 million. The incident took place on April 1, 2026. After the team first noticed unusual activity on the platform. At first, the protocol warned users not to deposit funds.
Drift Protocol is experiencing an active attack. Deposits and withdrawals have been suspended. We are coordinating with multiple security firms, bridges, and exchanges to contain the incident. This is not an April Fools joke. We’ll provide additional updates from this account as… https://t.co/03SRPq4fHj
— Drift (@DriftProtocol) April 1, 2026
Soon after, it confirmed that an active attack was underway. Deposits and withdrawals were quickly paused to limit further damage. Early on-chain data showed that a large amount of funds moved out within minutes. The scale of the incident raised concerns across the wider Solana DeFi ecosystem.
A Carefully Planned Nonce Attack
According to the Drift Protocol team, this was not a simple hack. Instead, the attacker executed a well-planned assault after weeks of preparation. The attacker used a method involving “durable nonce” accounts. These features allow users to sign transactions early and execute them later. This helped the attacker delay actions and strike at the right moment.
April 1: Execution Phase
— Drift (@DriftProtocol) April 2, 2026
Step 1: Legitimate Test Transaction
Drift executed a test withdrawal from the insurance fund:https://t.co/HhTkt4ddnI
Step 2: Admin Takeover (~1 minute later)
The attacker executed two pre-signed durable nonce transactions (4 slots apart):
– Create…
More importantly, the attacker gained access to admin-level control. This happened after securing enough approvals from a multisig system. Reports show that the attacker used 2 out of 5 required approvals. Once the hacker gained control, they acted quickly. They changed key settings and removed limits on withdrawals. This allowed them to drain funds in a short time.
No Smart Contract Bug Found
The Drift Protocol team has clarified an important detail. The nonce attack did not happen because of a bug in the code. No evidence suggests that attackers hacked user wallets or seed phrases. Instead, the vulnerability stemmed from how the system handled approvals.
The attacker likely used social engineering. This means they tricked or misled people into approving harmful transactions. The attacker then used these approvals later through the nonce system. In simple terms, the system itself worked as designed. But the attacker found a way to misuse approvals and timing.
Funds Affected and Immediate Response
The impact of the nonce attack is significant. Funds from lending, vaults and trading accounts were affected. But not all assets were lost. Some funds remain safe. These include assets outside the protocol and those in the insurance fund.
All deposits into borrow/lend, vault deposits and funds deposited for trading are affected.
— Drift (@DriftProtocol) April 2, 2026
Unaffected:
– DSOL not deposited in Drift (including assets staked to the Drift Validator)
– Insurance Fund assets which will be withdrawn from the protocol for safeguarding
As a…
As a safety step, the protocol has frozen most functions. It has also updated its multisig setup to remove the compromised access. While the Drift Protocol team is working with security firms, exchanges and law enforcement. The goal is to track and possibly recover the stolen funds.
What This Means for DeFi?
This incident shows a key risk in DeFi. Even if smart contracts are secure. Human factors can still create weak points. Multisig systems are meant to improve security. But if approvals are mishandled, they can become a target.
For users, this is a reminder to stay cautious. It shows the need for stronger safeguards around approvals and admin controls for developers. The Drift Protocol team has promised a full report in the coming days. Until then, the focus remains on damage control and investigation. The nonce attack on Drift Protocol stands as one of the largest DeFi incidents of 2026 so far. Furthermore, its lessons may shape how protocols handle security going forward.
References
Follow us on Google News
Get the latest crypto insights and updates.
