CRITICALSolanaDurable Nonce AbuseACTIVE

Drift Protocol

Six-month social engineering campaign used Solana durable nonces, fake CVT collateral, and compromised contributor environments to drain $285M.

Loss

$285M

Risk

Ecosystem-level crisis

Confidence

96%

AI Generated Breakdown

Reporter Agent synthesis with forensic confidence scoring

Attack explanation

Attackers built trust with Drift contributors, compromised development workflows, staged a fake collateral token, and used pre-signed durable nonce transactions to silently transfer admin control before draining real assets within minutes.

Root cause analysis

High-privilege signing workflows lacked pre-execution intent verification, durable nonce safeguards, and strong signer counterparty validation.

confidence score

Ecosystem-level crisis

Wallet Flow Visualization

Attacker path, bridge transfers, token drains, mixer usage

interactive graph

Attacker Wallet 7bF...9Qx

Token Drains $42.1M

Bridge Transfer SOL -> ETH

Mixer Usage 6 hops

CEX Deposit Tagged

Dormant Wallet Watching

Technical Breakdown

Attack vector

Social engineering plus durable nonce pre-signature abuse

Vulnerability

Dormant admin transactions could execute later without clear real-time signer awareness

Affected contracts

Drift Security CouncilCVT collateral configMarket admin authorityBorrow limit controls

Mitigation suggestions

Require transaction simulation and intent checks for every admin signature

Add timelocks and secondary authentication for durable nonce transactions

Run quarterly social-engineering drills for all multisig signers

Emergency Bridge

Move funds off Solana

Powered byLI.FI

If your assets are at risk on Solana, bridge them to a safer chain immediately via LI.FI — the cross-chain aggregator covering 60+ chains and all major Solana bridges.

From (at risk)

Solana

Bridge to

Best Route via LI.FI

Solana → Ethereum

Mayan Swift • Across • Glacis aggregated

Est. Fee

~$0.50

Open LI.FI Bridge

60+ chains · gasless swaps on Solana · Jito bundles

60+

Chains

$2B+

Volume

20+

Bridges

Exploit Timeline

Fall 2025

Trust-building operation begins

Threat actors pose as a legitimate quantitative trading firm and build relationships with Drift contributors.

Dec-Feb

Developer machines targeted

A VSCode/Cursor exploit and malicious TestFlight wallet app are used to compromise contributor environments.

Mar 12

Fake CVT collateral staged

CarbonVote Token is deployed, wash-traded, and priced to appear usable as high-value collateral.

Apr 1

Durable nonces activated

Pre-signed dormant transactions silently transfer admin control and approve CVT collateral limits.

Minutes

Assets drained

$285M in USDC, SOL, ETH, and JLP are withdrawn before protocol controls are frozen.

Related Tweets

Demo X/Twitter integration for researcher posts, warnings, and fake-info checks

related tweets demo scan

NullTrace links social posts to the incident by contract mentions, protocol name, researcher credibility, and fake-loss detection tags.

SlowMist Research

@slowmist_team · 2m

Warning

Solana account permission changes need clear wallet simulation. Users should inspect owner reassignment instructions before signing.

NullTrace Intel

@nulltrace_ai · 4m

Confirmation

On-chain behavior and public reports are aligned. Confidence raised after wallet clusters matched the incident pattern.

Maya Chen

@maya_sec · 7m

Researcher

The important signal is not only the drain. Watch the staging wallets and the small test transactions before the main move.

Rumor Watch

@intel_filter · 10m

Fake Info Flag

Unverified recovery claims are circulating. No confirmed full recovery unless the protocol or tracked wallet flows support it.

suppressed by misinformation filter