Chainfeeds Summary:
DeFi's modular structure was once considered the biggest advantage in the field, but now that advantage has been amplified into a disadvantage like dominoes.
Article source:
https://x.com/ChainCatcher_/status/2039546677699428765
Article Author:
ChainCatcher
Opinion:
ChainCatcher: Around 1 AM today, another major security incident occurred in the DeFi sector. The Solana lending protocol Drift was hacked, resulting in the theft of over $220 million in user assets within just ten seconds. Following the incident, the Drift token quickly plummeted by over 40%, with its current FDV at only approximately $44 million. Simultaneously, due to Drift's crucial role in the Solana ecosystem, related assets such as SOL and JUP also experienced varying degrees of abnormal declines. As one of the leading lending protocols in the Solana ecosystem, Drift has previously raised over $52 million in funding, with investors including top-tier institutions such as Multicoin Capital, Polychain, and Jump Capital. This attack was not a single point of vulnerability but rather the result of multiple attack methods combined, including the illegal acquisition of multisignature control, governance attacks, and oracle manipulation. The attackers, by controlling a single signature key, completed a series of critical operations within a single transaction, including creating a fake market, manipulating price oracles, and removing withdrawal restrictions. Particularly noteworthy is that the leakage of the multisignature private key may even involve internal personnel, further complicating and escalating the severity of the incident. From the specific attack path, the problem was already brewing a week earlier. At that time, Drift migrated protocol management permissions from the old multisignature wallet to the new multisignature wallet. The new wallet was created by one of the signers from the old multisignature wallet, but the new signer did not include themselves in the new signer list. This design flaw provided an opportunity for the attacker. The attacker first initiated a proposal in the old multisignature wallet, transferring protocol administrator permissions to the wallet they controlled. Subsequently, the structure of the new multisignature wallet further amplified the risk: only one of the five signers was from the old system, the rest were new addresses, and only 2/5 signatures were required to execute the proposal, with no time-lock mechanism. In the early morning, the sole old signer initiated a proposal, transferring administrator permissions to the attacker's address. Another new signer quickly followed suit, instantly fulfilling the execution conditions. Due to the lack of time delay, the proposal took effect immediately, and the attacker successfully gained complete control. The entire process was extremely rapid, leaving almost no room for intervention or reaction, fully exposing the fatal flaws in the multisignature design and permission management. After gaining administrator privileges, the attackers quickly launched an arbitrage operation: First, they created a CVT spot market on Drift, with a total supply of approximately 750 million tokens, of which 600 million were controlled by the attackers. Then, the attackers deployed and specified their own oracle data source, causing the protocol to read the price they manipulated. Through approximately 20 transactions, the attackers artificially inflated the price of CVT, which was essentially worthless, making their holdings appear to be worth hundreds of millions of dollars from the oracle's perspective. Using this artificially inflated collateral, the attackers borrowed approximately $220 million to $280 million in assets from the protocol, including core assets such as JLP, USDC, and cbBTC. This event not only directly impacted Drift itself but also rapidly spread throughout the Solana ecosystem through the "modular structure" of DeFi. As one of the biggest victims, Jupiter's core LP asset, JLP, was massively withdrawn, causing a sharp drop in liquidity and triggering market panic. Furthermore, more than 15 protocols integrating Drift were affected to varying degrees, with some suspending withdrawal functionality. Ultimately, ordinary users suffer the greatest losses, as frequent security incidents continue to erode the market's trust in DeFi.
Content source 
