Back to Blog
exploit-teardownsvmsolanasocial-engineeringmultisignorth-korea

Drift Lost $285M to a 6-Month Con. The Smart Contract Was Fine.

|Odin Scan Team
Drift Lost $285M to a 6-Month Con. The Smart Contract Was Fine.

On April 1, 2026, Drift Protocol lost $285 million in 12 minutes. It is the largest DeFi hack of the year and the second largest in Solana's history, behind only the $326M Wormhole bridge drain in 2022.

There was no smart contract bug. No missing check. No forgotten modifier. The attackers did not need one.

They spent six months building a relationship, got the Security Council to sign a transaction they did not understand, then used admin control to whitelist a fake token as collateral and withdraw real assets against it.

This is the story of how Drift got rugged by its own governance.

What Happened

Drift is a perpetuals DEX on Solana with around $550M in TVL at the time of the attack. On March 27, 2026, the team migrated its Security Council to a new 2 of 5 multisig with a zero second timelock. That migration is the moment the clock started.

On April 1, between 03:14 and 03:26 UTC, the attacker executed 31 rapid withdrawals. Total drain: 285 million dollars in USDC, SOL, ETH, and JLP.

By the time the community noticed, the funds were already being bridged to Ethereum through Circle's CCTP and fragmented across mixers.

Drift's TVL collapsed 55 percent that day. The DRIFT token dropped 42 percent. SOL dropped 5.5 percent on the news alone. At least 20 protocols with downstream exposure to Drift vaults paused or halted.

The Three-Part Attack

The exploit combined three separate attack vectors, each enabling the next. None of them were novel. The novelty was in the combination and the patience.

Part 1: The Six-Month Social Engineering Campaign

Starting in late 2025, attackers posing as a quantitative trading firm began building relationships with Drift contributors. Professional messaging. Real-seeming LinkedIn profiles. Actual trading activity on-chain. The kind of long-horizon infiltration that only a state-level actor bankrolls.

The goal was not to steal keys. It was to get the Security Council to sign things without suspicion.

Part 2: The Durable Nonce Trick

Solana has a feature called durable nonces. Normally, a transaction must be submitted within a short window or the nonce it uses expires. Durable nonces let you sign a transaction now and submit it much later, as long as the nonce account has not rotated.

This feature exists for good reasons. Cold storage transfers. Multi-party ceremonies where signing happens days apart from execution. The problem is that a signer looking at a durable nonce transaction in their wallet UI sees the effect today, but the transaction can land at any point in the future, in any state the chain happens to be in.

The attackers socially engineered Drift Security Council members into pre-signing several "delayed" administrative transactions. The signers believed they were approving routine operations. What they were actually signing was a future transfer of admin control to an attacker-controlled PDA.

Nobody caught it because the UI decoded the instruction as a mundane call. The actual bytecode of what was being signed was never read by a human.

Part 3: The Zero-Timelock Migration

On March 27, Drift migrated its Security Council configuration. New threshold: 2 of 5. New timelock: zero.

Before March 27, any admin action had to sit through a delay before execution. That delay is the last line of defense. It gives the community time to notice an unusual transaction, to scream about it in Discord, to spin up a governance veto, to do anything at all.

With the timelock set to zero, the pre-signed transactions could land and take effect in the same block. No warning window. No intervention window. Just signed, submitted, executed.

How the Drain Actually Worked

Once the pre-signed transactions landed on April 1, admin control belonged to the attacker. From there the drain was mechanical.

Step 1. Deploy a fake token (CVT). The attackers had deployed CVT (CarbonVote Token) on March 12 with a supply of 750 million. They seeded a thin Raydium liquidity pool and wash-traded to anchor the price at roughly one dollar.

Step 2. Stand up a malicious oracle. They deployed a price oracle they controlled, reporting that CVT was worth one dollar. Drift's oracle adapter trusted it.

Step 3. Whitelist CVT as collateral. Using admin control, they added CVT to Drift's list of acceptable collateral assets.

Step 4. Raise withdrawal limits. Standard daily withdrawal limits would have capped the damage. Admin control means those limits are a soft ceiling, not a hard one.

Step 5. Deposit 500M CVT, withdraw 285M in real assets. Thirty-one withdrawal transactions in 12 minutes. USDC, SOL, ETH, JLP out. Fake CVT in.

The smart contract did exactly what it was told to do. The told-to-do came from an address that had been handed the keys by its rightful owners.

The Attribution

TRM Labs, Chainalysis, and Elliptic have all pointed at the Democratic People's Republic of Korea. The attack pattern matches prior DPRK campaigns: patient social engineering, infrastructure staging weeks or months in advance, tight laundering choreography through mixers and bridges.

If this attribution holds, Drift joins a list that already includes Ronin ($625M), Harmony Horizon ($100M), WazirX, and a growing roster of 2024 and 2025 targets. The common thread is not a shared vulnerability in the code. It is that Lazarus operators do not need one.

What a Smart Contract Scanner Cannot See

We want to be direct about what Odin Scan catches and what it does not.

Odin Scan catches contract-level vulnerabilities. Reentrancy, oracle misuse, access control holes, missing validation, insecure upgrade patterns. If a logic bug in Drift's code had caused this loss, we would have flagged it in CI/CD.

But no code bug caused this. The contract processed valid admin calls signed by legitimate key holders. From the chain's perspective, everything about April 1 was authorized.

What we can catch in this class of attack is the configuration surface.

  • A scan of the March 27 Security Council migration would have flagged the zero timelock value as a critical configuration risk. A timelock of zero on an admin-controlled protocol is a known red flag. We would have called it out.
  • A scan of the CVT listing transaction would have flagged an unaudited, thinly-traded collateral asset. The combination of low liquidity and direct oracle dependence is a pattern we score as high risk.
  • A scan of the oracle adapter configuration would have flagged a price feed from an unverified source, pointing at a contract deployed less than three weeks prior.

None of those checks stop a determined, well-funded attacker who has already compromised the signing process. They do raise the cost. They force the attack to survive a second pair of eyes. They make it harder to land a rug through normal governance plumbing.

What Would Actually Have Prevented It

Non-zero timelock on admin actions. Every DeFi protocol with meaningful TVL should have a minimum 24 hour timelock on any admin action that can touch user funds. The April 1 window would have been April 2, and by April 2 the community would have been awake.

Transaction decoding on hardware wallets. Solana wallet UIs today typically show a decoded summary. The raw transaction bytes, with all the instructions and accounts, are technically visible but rarely read. For Security Council signing of high-stakes actions, the signing device should display the decoded instructions from first principles, not from a UI that might be spoofed or misread.

Ban on durable nonces for privileged operations. Durable nonces are a dangerous feature for admin transactions. Time of signing should equal time of execution for anything with privileged access. If an operation is important enough to need a council signature, it is important enough that the council should be watching when it lands.

Multiple, independent oracle sources for new collateral. Drift's oracle adapter accepted a single feed for CVT. A standard for new collateral should be at least two independent feeds with a circuit breaker if they diverge by more than a defined percentage. A single attacker-controlled oracle cannot hijack a system that demands consensus.

Pre-signed transaction registry. A transparent, onchain registry of every pending pre-signed admin transaction, with decoded instructions published to a public channel, would make durable nonce attacks visible before they land. If the community could see the pre-signed transfer sitting in the mempool of the council, somebody would have asked about it.

Why This Was Not a Drift Failure Alone

The uncomfortable truth is that most DeFi protocols are one social engineering campaign away from this exact outcome. Multisigs with short or zero timelocks. Admin powers that can whitelist new collateral unilaterally. Oracle adapters that accept single-source feeds. Signing flows that rely on UI decoding.

Drift was not negligent. They ran a real protocol at scale with real users. The problem is that the baseline configuration for most DeFi protocols is too permissive for what sophisticated nation-state actors are now doing.

The question every protocol team should be asking after April 1 is not "could this happen to Drift again" but "what is my equivalent of the zero timelock migration."

The Takeaway

Contract security and operational security are not separable anymore. Lazarus figured that out years ago. The industry is still catching up.

Every protocol running with elevated admin privileges should treat the configuration of those privileges as part of its attack surface. Timelocks, collateral whitelisting, oracle sources, signing procedures. All of it should go through the same review rigor as the contract code itself.

Odin Scan scans contract code, deployment scripts, governance proposal files, and configuration data. It catches the class of issues that would have shown up in a Drift pre-migration review. It cannot stop social engineering. It can close the door that social engineering walks through.

Want automated security scanning on every PR, governance proposal, and deployment script? Start a free trial and have Odin Scan running on your repository in under five minutes. We support EVM, Solana, CosmWasm, and Cosmos SDK.

Questions about your specific setup? support@odinscan.ai.

Sources: Chainalysis post-mortem, TRM Labs analysis, Elliptic attribution, Bloomberg coverage.