$285M Solana hack

The $285 million Solana hack was not a classic smart-contract bug. It was an administrative takeover of Drift Protocol, one of Solana’s largest on-chain trading venues, and it appears to have started long before the money moved. On April 1, Drift said an attacker used a “novel attack involving durable nonces” to seize the protocol’s Security Council powers, then began draining funds. Early estimates put the loss above $270 million. Later reporting and forensics pushed the figure to about $285 million (coindesk.com, decrypt.co, blocksec.com). That distinction matters because the attack did not begin by breaking Drift’s trading engine. It began by taking control of the knobs around it. BlockSec’s reconstruction says the attacker exploited Solana’s durable nonce system, which lets users pre-sign transactions for later execution. In ordinary use, that feature is a convenience. Here, it let the attacker hold signed governance actions in reserve and execute them when conditions were right. Drift’s own public statements, as summarized by multiple outlets, say the result was a rapid takeover of a 2-of-5 Squads multisig with no timelock standing in the way (blocksec.com, decrypt.co, thehackernews.com). Once the attacker had those permissions, the rest was brutally simple. They created a malicious collateral asset, described in reporting as a fake token called CVT or CarbonVote, manipulated its oracle price upward, loosened withdrawal protections, and then borrowed or withdrew real assets against fake value. In other words, the hack turned governance access into a money printer. The protocol’s own risk rails became the path out. That is why the breach hit liquidity so hard. It was not just theft from one pool. It was the conversion of protocol trust into instantly spendable collateral (decrypt.co, blocksec.com, coindesk.com). The most unsettling part is how much of this seems to have happened off-chain first. Drift’s follow-up account, reported by The Block, describes a six-month social-engineering campaign that began around fall 2025. The attackers allegedly posed as a quantitative trading firm, met contributors at conferences, joined working sessions, and even deposited more than $1 million into a Drift Ecosystem Vault to look legitimate. Drift and incident responders from SEAL 911 said with “medium-high” confidence that the operation matched the same North Korea-aligned actors linked to the 2024 Radiant Capital hack (theblock.co). That attribution is not based on vibes. Elliptic said the laundering patterns, on-chain behavior, and network indicators all resembled prior DPRK operations. Funds were moved quickly across chains, including from Solana toward Ethereum, which is exactly the kind of post-exploit choreography investigators now watch for. When a protocol can survive audits and still lose hundreds of millions because two signers were socially engineered, the lesson is not subtle. DeFi’s weak point is often not the contract. It is the human being holding the key, and in this case that weak point was enough to turn a convenience feature into a $285.3 million exit route (coindesk.com, coindesk.com, blocksec.com)