An attacker has drained at least $270 million from Drift Protocol, a decentralized finance platform operating on the Solana blockchain, in a theft that relied on social engineering rather than a conventional code vulnerability or stolen private keys. The method used involved a legitimate Solana feature known as durable nonces, which allow transactions to be pre-signed and remain valid for an extended period. The incident highlights a growing category of risk in decentralized finance that goes beyond technical exploits.
Drift Protocol is governed in part by a five-member Security Council multisig, a structure requiring multiple approvals before sensitive actions can be executed. The attacker managed to obtain two approvals from members of that council through misleading means, providing enough authorization to proceed with the attack. Those two approvals, secured under false pretenses, were sufficient to set the scheme in motion.
Using the durable nonce mechanism, the attacker pre-signed a set of transactions that remained executable for more than a week after being created. This window gave the attacker time to gather the necessary approvals without raising immediate suspicion. When the moment came, the pre-signed transactions were submitted and protocol-level control was seized within minutes.
All user deposits held within Drift Protocol were affected by the breach. Following the theft, funds were moved through a series of platforms including NEAR, Backpack, Wormhole, and Tornado Cash, complicating efforts to trace or recover the stolen assets. The use of multiple bridging and mixing services suggests a deliberate effort to obscure the trail of the funds.
The attack draws attention to operational security failures, particularly around how durable nonce transactions are managed and reviewed within decentralized organizations. Unlike a software bug that can be patched after discovery, vulnerabilities rooted in human decision-making and procedural gaps are considerably harder to address. Security researchers and industry observers note that social engineering is increasingly becoming a primary threat vector in the DeFi space, as protocol code itself becomes more rigorously audited.
The incident serves as a broader warning for decentralized protocols that rely on multisig governance structures. Even when the underlying code is sound, the human layer of approval processes can be manipulated if adequate verification procedures are not in place. The Drift Protocol breach underscores the need for stricter operational protocols around pre-signed transactions and more robust authentication requirements for council members before sensitive approvals are granted.
Originally reported by CoinDesk.
