CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

Drift Protocol administrative takeover and $285 million loss via Security Council manipulation on Solana

First reported
Last updated
1 unique sources, 1 articles

Summary

Hide ▲

A sophisticated threat actor seized control of the Drift Protocol’s Security Council administrative powers on Solana, enabling the malicious transfer of approximately $280–$285 million in user funds. The attacker exploited durable nonce accounts and pre-signed transactions to delay execution, obtaining 2/5 multisig approvals between March 23–30, 2026. On April 1, the threat actor executed pre-signed malicious transactions immediately after a legitimate transaction, transferring admin control within minutes. Subsequent actions included deploying a malicious asset, removing withdrawal limits, and draining funds across borrow/lend deposits, vault deposits, and trading funds. Drift Protocol confirmed no compromise of seed phrases or smart contract flaws, with the attack targeting governance controls rather than code vulnerabilities. The platform froze all functions, issued a public warning, and is collaborating with security firms, exchanges, and law enforcement to trace and recover stolen assets.

Timeline

  1. 02.04.2026 22:03 1 articles · 3h ago

    Drift Protocol Security Council hijack results in $285 million loss via pre-signed transactions on Solana

    Between March 23–30, 2026, an attacker established durable nonce accounts and secured 2/5 multisig approvals from Drift Protocol’s Security Council. On April 1, 2026, the attacker executed pre-signed malicious transactions immediately after a legitimate transaction, transferring admin control within minutes. The attacker then deployed a malicious asset, removed withdrawal limits, and drained funds from borrow/lend deposits, vault deposits, and trading funds, resulting in an estimated $280–$285 million loss. Drift froze all protocol functions, issued a public warning, and is working with security firms, exchanges, and law enforcement to trace and recover stolen assets.

    Show sources
    Open in new tab

Information Snippets

  • Drift Protocol, a Solana-based DeFi trading platform with 200,000 traders and $55 billion in cumulative trading volume, suffered a $280–$285 million loss due to an administrative takeover.

    First reported: 02.04.2026 22:03
    1 source, 1 article
    Show sources

  • The attacker used durable nonce accounts and pre-signed transactions to delay execution, meeting the 2/5 multisig threshold between March 23–30, 2026.

    First reported: 02.04.2026 22:03
    1 source, 1 article
    Show sources

  • On April 1, 2026, the attacker executed pre-signed malicious transactions immediately after a legitimate transaction, transferring admin control within minutes.

    First reported: 02.04.2026 22:03
    1 source, 1 article
    Show sources

  • Post-takeover, the attacker deployed a malicious asset, removed withdrawal limits, and drained funds from borrow/lend deposits, vault deposits, and trading funds.

    First reported: 02.04.2026 22:03
    1 source, 1 article
    Show sources

  • Drift Protocol confirmed no seed phrases or smart contract vulnerabilities were exploited; the attack targeted governance controls via Security Council multisig.

    First reported: 02.04.2026 22:03
    1 source, 1 article
    Show sources

  • Drift froze all protocol functions, issued a public warning to users, and is coordinating with security firms, exchanges, and law enforcement to trace and recover stolen funds.

    First reported: 02.04.2026 22:03
    1 source, 1 article
    Show sources

  • Drift stated the DSOL token and insurance fund assets remain unaffected, with a detailed post-mortem report planned for release in the coming days.

    First reported: 02.04.2026 22:03
    1 source, 1 article
    Show sources