Drift Protocol Hack

On April 1, 2026, Drift Protocol on Solana suffered the largest hack of 2026 with over $280M stolen. An attacker spent weeks preparing a sophisticated operation using durable nonce accounts to pre-sign transactions, obtained 2/5 multisig approvals through social engineering, then executed an admin takeover and drained over half the protocol's funds before bridging everything to Ethereum.

This wasn't a smart contract bug or stolen seed phrase. The attacker planned this for weeks. On March 23, they set up four durable nonce accounts. Two were linked to real Drift Security Council multisig members and two to attacker wallets. Durable nonces are a Solana feature that lets you pre-sign transactions and execute them later without expiring.

Over the next week, the attacker tricked 2 out of 5 multisig signers into approving what looked like legitimate transactions. These were actually malicious pre-signed transactions waiting to execute. On April 1, Drift ran a normal test withdrawal from their insurance fund. Just one minute later, the attacker triggered their pre-signed transactions. Within 4 slots, they transferred admin control to themselves and took over the entire protocol.

With admin access, they drained user deposits from borrow/lend positions, vaults, and trading accounts. The haul was massive, over $280M in a dozen different tokens. They moved fast, bridging 129K ETH (about $270.9M) from Solana to Ethereum using Circle's bridge. Another 2.5M USDC got bridged and swapped for more ETH. The DRIFT token crashed 37%. Only assets not deposited in Drift stayed safe, including staked DSOL and the insurance fund which was pulled to safety.

Main Attacker Wallet (Solana): 7RoMqGAcU7S6ESAhPDvB9iSXvASUhuoE8u7dYRxGBew9