The assault on Drift Protocol was not a hack within the conventional sense.
No person discovered a bug or cracked a non-public key. There wasn’t a flash mortgage exploit or manipulated oracle both.
As a substitute, an attacker used a reliable Solana characteristic, ‘sturdy nonces,’ to trick Drift’s safety council into pre-approving transactions that might be executed weeks later, at a time and in a context the signers by no means supposed.
The end result was a drain of a minimum of $270 million that took lower than a minute to execute however greater than per week to arrange.
What sturdy nonces are and why they exist
On Solana, each transaction features a ‘latest blockhash,’ primarily a timestamp that proves the transaction was created not too long ago. That blockhash expires after about 60 to 90 seconds. If the transaction isn’t submitted to the community inside that window, it turns into invalid. This can be a security characteristic and helps forestall previous, stale transactions from being replayed later.
Sturdy nonces override that security characteristic. They substitute the expiring blockhash with a hard and fast ‘nonce,’ a one-time code saved in a particular onchain account, that retains the transaction legitimate indefinitely till somebody chooses to submit it.
The characteristic exists for reliable causes. {Hardware} wallets, offline signing setups, and institutional custody options all want the flexibility to organize and approve transactions with out being pressured to submit them inside 90 seconds.
However indefinitely legitimate transactions create an issue. If one can get somebody to signal a transaction at the moment, it may be executed subsequent week or subsequent month, per the system’s hardcoded guidelines. The signer has no technique to revoke their approval as soon as it’s given, except the nonce account is manually superior, which most customers don’t monitor.
How the attacker used them
Drift’s protocol was ruled by a ‘Safety Council multisig,’ a system through which a number of individuals (on this case, 5) share management, and any motion requires a minimum of two of them to approve. Multisigs are a typical safety observe in DeFi, the place the concept is that compromising a single individual isn’t sufficient to steal funds.
However the attacker didn’t have to compromise anybody’s keys. All they wanted have been two signatures, and so they seem to have obtained them by way of what Drift describes as “unauthorized or misrepresented transaction approvals,” that means the signers doubtless thought they have been approving a routine transaction.
Right here is the timeline Drift printed in a Thursday X put up.
On March 23, 4 sturdy nonce accounts have been created. Two have been related to reliable Drift Safety Council members. Two have been managed by the attacker. This implies the attacker had already obtained legitimate signatures from two of the 5 council members, locked into sturdy nonce transactions that might not expire.
On March 27, Drift executed a deliberate Safety Council migration to swap out a council member. The attacker tailored. By March 30, a brand new sturdy nonce account appeared, tied to a member of the up to date multisig, indicating the attacker had re-obtained the required two-of-five approval threshold below the brand new configuration.
On April 1, the attacker executed.
First, Drift ran a reliable take a look at withdrawal from its insurance coverage fund. Roughly one minute later, the attacker submitted the pre-signed sturdy nonce transactions. Two transactions, 4 slots aside on the Solana blockchain, have been sufficient to create and approve a malicious admin switch, then approve and execute it.
Inside minutes, the attacker had full management of Drift’s protocol-level permissions. They used that management to introduce a fraudulent withdrawal mechanism and drain the vaults.
What was taken and the place it went
Onchain researchers tracked the fund flows in actual time. The breakdown of stolen belongings, compiled by safety researcher Vladimir S., totaled roughly $270 million throughout dozens of tokens.
The most important single class was $155.6 million in JPL tokens, adopted by $60.4 million in USDC, $11.3 million in CBBTC (Coinbase wrapped bitcoin), $5.65 million in USDT, $4.7 million in wrapped ether, $4.5 million in DSOL, $4.4 million in WBTC, $4.1 million in FARTCOIN, and smaller quantities throughout JUP, JITOSOL, MSOL, BSOL, EURC, and others.
The first drainer pockets was funded eight days earlier than the assault through NEAR Protocol intents however remained inactive till execution day. Stolen funds have been transferred to middleman wallets that have been funded simply the day earlier than through Backpack, a decentralized crypto change that requires id verification, doubtlessly giving investigators a lead.
From there, funds moved to Ethereum addresses through Wormhole, a cross-chain bridge. These Ethereum addresses had been pre-funded utilizing Twister Money, the sanctioned privateness mixer.
ZachXBT, a outstanding onchain investigator, famous that over $230 million in USDC was bridged from Solana to Ethereum through Circle’s CCTP (Cross-Chain Switch Protocol) throughout greater than 100 transactions.
He criticized Circle, the centralized issuer of USDC, for not freezing the stolen funds throughout a six-hour window after the assault started round midday Jap time.
The assault was additionally paying homage to latest social engineering makes an attempt, utilizing ways much like these seen earlier than, based on a social media put up by a person who goes by ‘Temmy.’ “we’ve seen this before. we’ve seen this so many times,” the person stated.
“bybit. $1.4 billion. the attacker compromised the signing infrastructure and tricked signers into authorizing malicious transactions. same concept. social engineering. not code. ronin bridge. $625 million. compromised validator keys. same story. cetus protocol. $223 million. different method but same result. hundreds of millions gone.” the put up stated.
What was not compromised
What failed was the human layer across the multisig. Sturdy nonces allowed the attacker to separate the second of approval from the second of execution by greater than per week, creating a niche through which the context of the signed doc now not matched the context through which it was used.
All deposits into Drift’s borrow-and-lend merchandise, vault deposits, and buying and selling funds are affected. DSOL tokens not deposited in Drift, together with belongings staked to the Drift validator, are unaffected. Insurance coverage fund belongings are being withdrawn and safeguarded. The protocol has been frozen, and the compromised pockets has been faraway from the multisig.
As such, that is the third main exploit in latest months that didn’t contain a code vulnerability. Social engineering and operational safety failures, quite than good contract bugs, are more and more how cash leaves DeFi protocols.
The sturdy nonce vector is especially harmful as a result of it exploits a characteristic that exists for good cause and is troublesome to defend in opposition to with out basically altering how multisig approvals work on Solana.
The open query, which Drift’s forthcoming detailed postmortem might want to reply, is how two separate multisig members authorised transactions they didn’t perceive, and whether or not any tooling or interface modifications may have flagged sturdy nonce transactions as requiring further scrutiny.
Learn extra: North Koreans hackers doubtless behind $286 million Drift Protocol exploit
