✏️Drift Protocol $200M+ Hacking, Is It a Planned Crime? Original Thread To start with the conclusion, it is not a code exploit. It is not a flash loan. Nor is it a traditional key theft. It is a planned crime prepared over several weeks. Stage 1: Setup (2-3 weeks ago, original Chinese text) The attacker minted $CVT (CarbonVote Token). They created a pool on Raydium with 500U (1 CVT = 1U) and artificially manipulated trading volume to plant "price history" in the oracle. This was a strategic move to use it as collateral later. At this point, no one knew. Stage 2: Loading the Time Bomb (3/23) Solana's durable nonce feature was introduced. A transaction can be signed today and executed later, whether it takes days or weeks. It is like keeping a signed check in a drawer. The attacker used this to set up four delayed-execution accounts. Two were actual connections to Drift Security Council members, and two were the attacker himself. Two Security Council members were tricked into blind signing using social engineering. They were unaware of what they were signing. Drift called it "transaction misrepresentation," but honestly, it was like handing over the key to their own safe. These signatures remained dormant for 9 days. Stage 3: Replacing the Security Council Was Useless (3/27) Drift replaced the Security Council. New members, new setup. But it was no use. Two of the new five members were compromised again. Furthermore, they switched to 2/5 multisig and even removed the time lock. The community is now criticizing why they did this. (Comment by indra) Stage 4: Detonation (4/1) Drift dropped a routine test transaction. Exactly 60 seconds later, the attacker executed two pre-signed transactions. They detonated Solana in succession with a difference of 4 slots. Hijacking of full admin privileges. From here on, it was lightning fast. Listing CVT on the Drift spot → Lifting withdrawal limits on each vault → Depositing 785M CVT collateral into 5 wallets → 31 transactions, draining all 20+ vaults including USDC, JLP, USDT, etc. in just 12 minutes → Cross-chaining Ethereum via Wormhole → Swapping to ETH. (On-chain receipt) Total execution time: approximately 20 minutes. Why this is scary: Blind signing + durable nonce (a structure similar to EVM approval) + fake token oracle manipulation + admin key theft. This is an attack combining these four elements into one. The system operated exactly as designed. It wasn't a code bug. It was the human element that was compromised. And one more thing. There are rumors that key personnel at Drift left a few weeks ago. Who is the person who has the admin key at this timing, perfectly understands the collateral loan logic, and can execute it in 20 minutes? by Myu's China Expert