Drift Protocol on Solana was drained of $280 million — not through a code bug, but through misuse of a legitimate Solana feature called "durable nonces." Attackers pre-signed administrative transfers weeks before executing them, bypassing Drift's multi-signature security in minutes. This is one of the most sophisticated DeFi exploits in history — and its method has implications for every DeFi user.
What Are "Durable Nonces" and How Were They Exploited
A "nonce" in blockchain transactions is a number that prevents transactions from being replayed. A "durable nonce" is a Solana feature designed for legitimate use: allowing transactions to be pre-signed offline and submitted later — useful for hardware wallets and air-gapped signing setups where network connectivity during signing is a security risk.
How the attackers used it: they obtained (through social engineering, phishing, or an insider) a legitimate admin private key weeks before the attack. They used durable nonces to pre-sign administrative withdrawal transactions — valid transactions that would only become executable under specific future conditions. When the time came, they executed all pre-signed transactions simultaneously, draining the protocol before any automated security could respond. The transactions were entirely valid — the smart contract had no way to know they were malicious.
What This Means for DeFi Security
This exploit proves that even perfectly audited smart contracts can be drained if private key security fails. The lesson: DeFi security is only as strong as its weakest human. Drift's code was correct. Their multisig process was bypassed by a social engineering or insider attack that compromised a signing key weeks before the exploit executed. Billions of dollars in DeFi protocols are protected by multi-signature schemes — and the human beings controlling those keys are the attack surface.
Drift's Response and Industry Implications
Drift has paused all operations, is working with blockchain security firms to trace the attacker, and has engaged the FBI. The stolen funds are being tracked — blockchain is public and large movements are visible. The exploit has already prompted other Solana DeFi protocols to audit their durable nonce exposure and admin key security practices. Experts recommend: time-locks on admin operations (a 48-72 hour delay before large admin actions execute), geographic distribution of key signers, and hardware security modules for key storage.
DeFi Hack — FAQ
Security questions for DeFi users