.@DriftProtocol on #Solana was exploited several hours ago. According to its public statement, this incident was not caused by a bug in its programs or smart contracts, and there is no evidence of compromised seed phrases. The attacker appears to have tricked multisig signers into approving durable-nonce pre-signatures, enabling admin takeover and parameter abuse. Specifically, the attacker obtained approvals through phishing or misleading signing flows and prepared malicious admin-transfer transactions in advance. At execution, the attacker sent a transaction beginning with AdvanceNonceAccount, which advanced the durable nonce and enabled delayed execution of the pre-signed flow on-chain, rather than expiring like a standard recent-blockhash transaction. The flow then proceeded through proposalApprove and vaultTransactionExecute, triggered UpdateAdmin, and completed the admin takeover. After that, the attacker: 1. created a malicious or illiquid collateral market, identified on-chain as CVT, with permissive risk parameters; 2. switched to an attacker-controlled oracle and inflated CVT pricing; 3. raised or removed withdrawal guardrails across major real-asset markets. The attacker then posted large amounts of CVT as collateral, borrowed against the inflated value, and withdrew real assets including USDC, wETH, dSOL, JLP, and cbBTC. Based on currently traceable on-chain activity, this was the primary value-extraction path. The current loss estimate is $285,279,417. Admin transfer transaction: solscan.io/tx/4BKBmAJn6TdsENij...… Loss-tracking reference: solscan.io/account/HkGz4KmoZ7Z...…