The $280 million Drift Protocol hack is a case study of how deeply rooted trust mechanisms may be used against a system, not just another DeFi weakness. This attack developed through a well-planned manipulation of governance approvals, in contrast to normal hacks motivated by smart contract breaches or stolen private keys.

The attacker used social engineering and durable nonce transactions over several days to obtain the authority required to take over covertly. The outcome was a nearly instantaneous takeover of protocol permissions, demonstrating that human approval layers can be precisely exploited to cause even well-structured multisig systems to collapse.

• Phase 1: Durable Nonce Setup & Hidden Approvals
• Phase 2: Multisig Migration & Re-Establishing Access
• Phase 3: Execution in Minutes - From Test Transaction to Admin Takeover
• Phase 4: Draining Funds, Impact Scope, & Emergency Response

Phase 1: Durable Nonce Setup & Hidden Approvals

On March 23, four durable nonce accounts were created, setting the foundation for the attack. Two of these were under the attacker's control, and the other two were connected to Drift Security Council multisig members.

One important benefit of this configuration was that transactions may be signed ahead of time but carried out later. Unknowingly granting future execution rights, at least 2 of the 5 multisig signers allowed transactions connected to these nonce accounts. It was very difficult to report these approvals as suspicious because they seemed legal at the time and did not result in rapid action.

The attacker was able to "store" authorisation for use at a later time by using durable nonces. This meant that implementation could proceed immediately without the requirement for new permissions once the appropriate time came. The attack didn't start on April 1st; it had been underway for several days, disguised as normal signing activity.

Phase 2: Multisig Migration & Re-Establishing Access

Due to a member change, Drift carried out a planned relocation of its Security Council multisig on March 27. Although this change was operationally normal, it gave the attacker another chance.

Another durable nonce account was made by March 30, and it was associated with a member of the upgraded multisig. This shows that even after the governance structure changed, the attacker was able to successfully restore effective access to 2/5 signers.

The important result is that internal updates did not interfere with the attacker's plan. Rather, it evolved. This implies ongoing communication with multisig players, most likely through deceptive transactions or deliberate social engineering to obtain approvals once more.

There is no proof that Drift's smart contracts have bugs or compromised seed phrases. The process of obtaining authorisation, not the coding of the protocol, was the source of the breach.

Earlier today, a malicious actor gained unauthorized access to Drift Protocol through a novel attack involving durable nonces, resulting in a rapid takeover of Drift’s Security Council administrative powers.

This was a highly sophisticated operation that appears to have involved…

— Drift (@DriftProtocol) April 2, 2026

Phase 3: Execution in Minutes - From Test Transaction to Admin Takeover

On April 1, the last stage started with what seemed to be a standard procedure, a valid test withdrawal from the insurance fund. This transaction probably avoided raising alarms and helped normalise activity.

The attacker conducted two pre-signed durable nonce transactions, separated by only 4 blockchain slots, within a minute. A malicious admin transfer was constructed and approved by the initial transaction. The second finalised and carried it out.

No more authorisation was required because the authorisations had already been secured some days before. The attacker had complete control over protocol-level rights in a matter of minutes.

This sequence shows how effective delayed execution can be. The only thing that had been altered before execution was the intent behind the instructions, which the system carried out exactly as directed.

Source: Solscan

Phase 4: Draining Funds, Impact Scope, & Emergency Response

The attacker acted fast after gaining administrative authority. They effectively undermined built-in safeguards by adding a malicious asset to the protocol and eliminating all pre-established withdrawal limitations.

After the limitations were lifted, about $280 million was taken out. The impacted funds comprised:

• Deposit funds in the borrow or lend pool
• Value deposits
• Trading balances

But certain assets were unaffected:

• DSOL, including assets staked to the Drift Validator, was not deposited in Drift.
• Assets from the Insurance Fund that were removed from the safeguarding protocol

To stop more damage, Drift responded by freezing all remaining protocol operations. The compromised wallet was removed from the multisig, preventing the attacker from accessing it.

In order to identify and possibly freeze the stolen money, the team is currently collaborating with security companies, exchanges, bridges, and law enforcement. A thorough postmortem is anticipated soon, and investigations are still ongoing.

The attack was fundamentally made possible by a mix of unapproved or misrepresented multisig approvals and pre-signed durable nonce transactions, demonstrating how governance-layer vulnerabilities can be just as serious as technical ones.

If you find any issues in this article or notice missing information, please feel free to reach out at team@etherworld.co for clarifications or updates.

To promote your Web3 articles, events, and projects, you may reach out anytime via EtherWorld PR for submissions and collaboration.

Related Articles

1. U.S. Opened the Door for Crypto & Private Equity in Your 401(k)
2. Resolv Moves to Recovery Mode After Exploit Fallout
3. Lido DAO Eyes $20M Buyback Amid LDO Dip
4. Gnosis & Zisk Launch Ethereum Economic Zone
5. Bitpanda Launches Vision Chain on OP Stack

To follow blockchain news, track Ethereum protocol progress, and read our latest stories, subscribe to our weekly today.