Drift Protocol, a DeFi trading platform on Solana, lost at least $280 million after an attacker gained control of its Security Council administrative powers. The attacker used durable nonce accounts and pre-signed transactions to execute a sophisticated, delayed takeover, introducing a malicious asset and removing withdrawal limits to drain funds.
Initial Access
Multisig Approval Acquisition
confirmed
The attacker prepared for the heist by setting up durable nonce accounts and obtaining 2/5 multisig approvals from Security Council members, meeting the required threshold for future malicious transactions.
Defender cut points
Implement stricter approval processes for multisig operations, requiring higher thresholds or independent verification for critical changes.Enforce phishing-resistant MFA for all Security Council members to prevent credential compromise leading to approvals.
