Drift Protocol Multisig Compromise Removed Withdrawal Caps and Enabled Asset Theft
Drift Protocol was compromised after an attacker gained control of a newly created 2-of-5 Squads v4 admin multisig during a migration from an older 3-of-5 setup. Investigation notes say the migration replaced four of five original members, lowered the approval threshold, and left no timelock, allowing the attacker—who controlled two signer accounts—to use a dual durable nonce pre-signing technique to transfer protocol admin rights to a wallet under their control in less than two seconds. Shortly before the admin takeover, the attacker also withdrew $10,000 USDC from the insurance fund.
With unilateral admin access, the attacker used the UpdateWithdrawGuardThreshold capability to remove withdrawal caps across 16 spot markets, then created fake collateral markets backed by an attacker-controlled token and oracle to extract real assets from the protocol. Public proof-of-concept material highlighted how the withdrawal guard change could eliminate all withdrawal limits, while on-chain analysis linked the attacker-controlled signers through durable nonce accounts funded by the same wallet, identifying shared nonce funding as a key early warning indicator. Drift later moved protocol upgrade authority to a recovery multisig that excluded the compromised members, but reporting indicated Drift Vaults upgrade authority still remained on a multisig where the attacker retained a seat.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
7 events from the most recent confirmed update back to the earliest known activity.
Drift moves protocol upgrade authority to recovery multisig
Following the incident, Drift created a recovery multisig that excluded the attacker-controlled members and transferred Drift protocol upgrade authority to it. However, Drift Vaults upgrade authority remained on a multisig where the attacker still retained a seat, leaving residual risk.
Public investigation notes detail attack mechanics and residual risk
On 2026-04-03, public investigation notes described the multisig migration, the dual durable nonce technique, the linked funding of nonce accounts, and the remaining exposure in Drift Vaults governance. The notes identified shared funding of nonce accounts as a key early warning signal.
PoC published for UpdateWithdrawGuardThreshold abuse
On 2026-05-04, a public proof-of-concept repository was published showing how `UpdateWithdrawGuardThreshold` could be used to remove withdrawal caps. The PoC reflected technical details of the mechanism abused in the Drift incident.
Attacker disables withdrawal protections and creates fake collateral markets
After taking admin control on 2026-04-01, the attacker removed withdrawal caps across 16 spot markets and created fraudulent collateral markets backed by an attacker-controlled token and oracle. These actions enabled extraction of real assets from the protocol.
Drift Protocol suffers multisig compromise and admin takeover
On 2026-04-01, an attacker controlling two members of the newly created 2-of-5 admin multisig used a dual durable nonce pre-signing technique to transfer protocol admin rights to a plain wallet under their control in under two seconds. The compromise gave the attacker unilateral administrative control over the protocol.
Attacker drains USDC from Drift insurance fund before admin takeover
Shortly before the main compromise on 2026-04-01, the attacker withdrew $10,000 USDC from Drift Protocol's insurance fund. This occurred before protocol admin rights were transferred to the attacker's wallet.
Drift creates new 2-of-5 admin multisig during migration
On 2026-03-25, Drift Protocol created a new Squads v4 2-of-5 admin multisig as part of a migration from an older 3-of-5 multisig. The change replaced four of five original members, lowered the threshold to 2-of-5, and had no timelock, setting up the conditions later abused in the compromise.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
See the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Drift Protocol loses $280M after social-engineered multisig takeover
Drift Protocol, a Solana-based decentralized exchange, lost roughly **$270 million to $286 million** after attackers seized its Security Council administrative powers and drained core vaults, prompting the platform to suspend deposits and withdrawals and warn users not to add funds. Drift later said the theft was not caused by a smart contract bug or leaked seed phrases, but by a sophisticated operation that abused Solana **durable nonce** transactions and pre-signed multisig approvals to execute malicious governance changes later. Investigators and Drift said the attackers removed withdrawal limits, introduced a fake collateral asset called **`CVT`** or CarbonVote Token, manipulated controls, and rapidly moved assets out of borrow/lend products, vault deposits, and trading funds, cutting the protocol’s total value locked from about **$550 million** to below **$250 million** and sending the **DRIFT** token sharply lower. Subsequent post-mortems described the breach as the culmination of a **months-long social-engineering campaign** in which the threat actors posed as a legitimate quantitative trading firm, built trust through conferences, Telegram chats, integrations, and deposits, and likely compromised contributors through a malicious code repository and a trojanized TestFlight wallet app. Blockchain intelligence firms including **Elliptic** and **TRM Labs** said the laundering patterns, cross-chain bridging from Solana to Ethereum, use of **Tornado Cash**, and other indicators were consistent with **North Korean** tradecraft, while Drift linked the operation with medium confidence to **UNC4736 / AppleJeus / Citrine Sleet**. The fallout widened beyond Drift as critics questioned why more than **$230 million in USDC** moved through Circle’s CCTP bridge without being frozen, Solana launched new security initiatives, and Drift later secured recovery backing including up to **$127.5 million from Tether** as it worked with security firms, exchanges, bridges, and law enforcement to trace and recover funds.
Jun 29, 2026
Drift Protocol exploit drained $280M after months-long social engineering campaign
Drift Protocol, a Solana-based decentralized trading platform, said attackers stole about **$280 million to $285 million** after a months-long intrusion culminated in the takeover of administrative control and the draining of protocol vaults in roughly 12 minutes. Drift’s preliminary findings said the operation abused Solana’s **durable nonce** feature and pre-signed transactions rather than a simple smart contract flaw, while investigators reported that the attackers staged activity weeks in advance, created a fake asset called **CarbonVote Token (`CVT`)**, and manipulated its trading history so protocol oracles would accept it as collateral. The stolen assets were then swapped largely into **USDC** and **SOL**, bridged to Ethereum through Circle’s Cross-Chain Transfer Protocol, and moved onward through additional services and exchanges.
Jun 29, 2026
North Korean Hackers Drove Most Crypto Losses Through Drift and KelpDAO Thefts
North Korea-linked hackers were attributed to two major cryptocurrency thefts in April: the **$285 million Drift Protocol breach** and the **$292 million KelpDAO exploit**, which together accounted for **76% of all crypto hack losses recorded through April 2026**. TRM Labs said the operations fit Pyongyang’s established pattern of carrying out a small number of highly targeted, high-value intrusions rather than frequent lower-value attacks, pushing cumulative North Korea-attributed crypto theft above **$6 billion since 2017**. The two attacks used different intrusion paths and laundering chains. In the Drift case, attackers reportedly spent months on social engineering, abused **Solana durable nonce transactions**, and leveraged a governance configuration change to drain funds in about **12 minutes**. In the KelpDAO theft, the attackers allegedly exploited a **single-verifier LayerZero bridge** design after compromising internal RPC nodes and using DDoS pressure to force reliance on poisoned data. TRM said the stolen assets then moved along separate routes: Drift funds were bridged to Ethereum and left dormant, while KelpDAO proceeds were partly frozen on Arbitrum and the remainder rapidly flowed through **THORChain** into Bitcoin in a pattern resembling **TraderTraitor** operations, reinforcing THORChain’s role as a recurring laundering route in major North Korea-linked crypto heists.
Jun 29, 2026