DeFi's biggest hack

On‑chain analysts say the attacker recreated multisig approvals by using durable‑nonce pre‑signed transactions to seize Drift’s admin privileges—security teams report the incident was an operational key‑compromise, not a smart‑contract exploit. (4pillars.io) Investigators trace the mechanism to a newly created spot market for a token called CVT: the attacker minted CVT, linked a Switchboard oracle they controlled to that market, pumped the oracle price to fabricate collateral value, then changed safeguard parameters to enable large withdrawals. (kucoin.com) Blockchain tracing shows the attacker consolidated dozens of assets, swapped many into USDC and SOL, and moved large sums off Solana—KuCoin and Bloomberg data indicate over $100M of USDC in single batches and extensive use of Circle’s CCTP and Wormhole to bridge funds to Ethereum. (kucoin.com) Forensic work has flagged specific drain addresses (including HkGz4KmoZ7 and 8ubo4HbWJH) and noted the launderer wallet was funded via Backpack (a KYC wallet), creating an identifiable on‑ramp that investigators say could aid tracing. (kucoin.com) Drift’s timeline shows weeks of attacker preparation and a March 27 multisig migration that left a single carry‑over signer as the critical vulnerability, and the protocol says it has since removed compromised signers and updated multisig controls while security firms continue the probe. (4pillars.io)