The DeFi governance assault: Drift Protocol loses control with durable nonces and presigned transactions

The DeFi Drift Protocol network suffered a serious blow: according to its own report and the follow-up of forensic signatures, a malicious actor managed to take away the administrative powers of the so-called Security Council and, thus, to remove hundreds of millions in assets. Drift estimates losses around $280 million, while the on-chain tracker PeckShield numbers the looting in approximately $285 million. You can see the official update of Drift in its public release on X / Twitter Here. and the PeckShield count Here..

What distinguishes this incident is not a failure in Drift's intelligent contracts - the platform insists that its programs were not exploited and that they have not leaked seed phrases - but a planned and surgical maneuver against administrative governance. The attacker took advantage of a functionality of Solana's blockchain known asdurable noncesand combined pre-signed transactions to orchestrate a delayed and accurate attack. Solana's technical documentation on this feature explains how long-term nonces allow to create valid transactions that can be executed at a later time; Drift claims that that's exactly what the attacker used to time the coup - more technical details in Solana's official documentation Here..

According to the chronology published by Drift, the preparation occurred between 23 and 30 March, a period in which the attacker created accounts with durable nonce and obtained partial approvals from the Security Council multisig: they managed to collect 2 of 5 signatures necessary to reach the required threshold and presigned malicious transactions without immediately executing them. This set of elements - pre-signed transactions that remain valid thanks to the long-term nonces - allowed the attacker to first carry out a legitimate operation on 1 April and then trigger the pre-signed instructions to transfer administrative control to his addresses within minutes.

With administrative control in his possession, the aggressor introduced a fraudulent asset within the protocol, removed withdrawal limits and emptied funds from loan deposits, vaults and trading accounts. Drift said that certain components, such as DSOL, were not affected and that the assets of its insurance fund remain protected, but most of the protocol's functions were virtually paralyzed while the total scope of the damage is investigated. In the face of abnormal activity, the platform issued public warnings asking users not to deposit more funds and activated a coordinated investigation with security firms, exchanges and authorities.

Beyond the final number - which can still vary depending on recoveries or reclassifications - the episode shows a risk vector that does not always receive the attention it deserves: security of keys and signature processes in multisig and governance structures. When the logic of the protocol and the contracts are properly designed, the one who controls the administrative keys can impose systemic actions even if the code base is robust. So even in non-custodial projects like Drift - that remember their model in their annual review, where they reported hundreds of thousands of traders and significant volumes of operation Consultable here- the protection of signature flows and the environments in which transactions are approved is critical.

There is not yet a public conclusion on how the multi-sig approvals were obtained: they could be committed devices, trusted engineering directed at signatories or operating process failures that allow partial approvals to be combined with pre-signed transactions. Whatever the vector, the practical lesson for other protocols and users is clear: to maintain critical signatures in isolated environments, to use timelock mechanisms to react to unusual operations and to review administrative limits and permits regularly. All this should be complemented by active chain monitoring and cooperation with analytics and exchanges to try to freeze funds as soon as possible, as Drift has reported he is trying to do.

The DeFi community and affected users will be pending the post-mortem that Drift promised to publish in the coming days. Such a report should clarify the forensic measures that have been taken, the exact nature of pre-signed transactions and recommendations to prevent similar schemes from becoming effective. Meanwhile, anyone with exposure to the protocol should review official communications and move assets to safe environments if necessary. To follow the official Drift updates and your initial warning to the public, you can check your messages on X / Twitter Here..

This incident recalls that in the critical ecosystem security does not depend exclusively on the correction of the code: so do people, processes and tools that manage signatures. While researchers and authorities are trying to track and, as far as possible, freeze funds, industry will need to reflect on how to tighten government models and reduce the attack surface that represents pre-prepared transactions and vulnerable signature schemes.