Drift: "Hack Exploiting Delayed Execution Occurred… Tracking and Freezing Stolen Assets Underway"

Solana-based DeFi protocol Drift has issued an official statement on the cause of the latest hacking incident.

According to Drift’s official announcement on the 2nd (local time), the attack was confirmed to have been carried out by combining a delayed-execution mechanism using a “durable nonce” with the theft of multisig approvals.

The attacker reportedly pre-signed transactions via a durable nonce account and delayed their execution, then executed them within a short window to seize administrator privileges. Drift said, “The attacker obtained approvals from 2 of the 5 multisig signers and executed an admin transfer,” adding that “this allowed them to take control of protocol-level permissions.”

Drift also denied the commonly raised possibility of a technical vulnerability. “This incident was not caused by a smart contract bug or a program vulnerability,” the team said. “There is also no evidence that the seed phrase was compromised. The core of the attack is the delayed-execution structure leveraging pre-approved transactions.”

The attack is believed to have been a sophisticated operation prepared over several weeks, with multisig approvals likely obtained through social engineering or mistaken transaction approvals.

The damage affected major functions across the protocol, including lending, deposits, and trading funds. However, DSOL and insurance fund assets not deposited in Drift were excluded from the affected assets.

Drift is currently working with security firms, exchanges, bridges, and law enforcement agencies to track and freeze the stolen assets. Drift said it is “cooperating with various organizations to track and freeze the stolen assets.”