I went through Drift’s incident thread, and this is the clearest play by play of what happened to @DriftProtocol ↓ March 23 The setup appears to have started here. Drift says 4 durable nonce accounts were created. That suggests parts of the attack were prepared in advance. Drift’s implication → At least 2 of 5 signer approvals were already tied to the setup March 27 Drift says the Security Council multisig was updated because one council member was replaced. It did not explain why. But the change did not fully remove the attacker’s path. March 30 A new durable nonce account was created for someone in the updated multisig. That suggests the attacker still had effective access to 2 of the 5 required signers. April 1 Drift spotted unusual activity. Users were told not to deposit. Deposits and withdrawals were suspended shortly after. Later that day, Drift says there was a legitimate-looking test withdrawal from the insurance fund. About a minute later, 2 pre-signed durable nonce transactions were executed. Those transactions created and approved a malicious admin transfer. After that, the attacker gained control of Drift’s Security Council admin powers. With that control, the attacker added a malicious asset, removed withdrawal limits, and drained the protocol. Around $280M was withdrawn from: borrow/lend deposits, vault deposits, and trading deposits. Drift says this was not a smart contract bug and there is no evidence of compromised seed phrases. Their response: → Freeze the remaining protocol functions → Remove the compromised wallet from the multisig → Work with security firms, bridges, exchanges, and law enforcement From the looks of it. I'm thinking that this might be an inside job.