DeFi lending protocol Drift was hacked in 10 seconds, resulting in over $200 million stolen, affecting more than 15 projects.

Author: Gu Yu, ChainCatcher

Around 1 a.m. today, a large-scale theft event struck the DeFi space again. The Solana lending protocol Drift was targeted by hackers, and more than $220 million in users’ assets was stolen within ten seconds.

After the incident, the Drift token dropped more than 40% in a short period of time. Its current FDV is about $44 million. Because many assets within the Solana ecosystem are involved, Solana ecosystem tokens such as SOL and JUP also saw abnormal declines of varying degrees.

Drift had previously been one of the largest lending protocols in the Solana ecosystem. According to RootData, the protocol’s cumulative funding amount exceeded $52 million. Investors include top-tier VCs such as Multicoin Capital, Polychain, Robot Ventures, Blockchain Capital, Ethereal Ventures, Jump Capital, and others.

According to publicly available analysis, this Drift theft is closely related to the leakage of multiple addresses, and it is further compounded by common attack methods such as governance attacks and oracle attacks. The attacker used a single signing key to complete all operations in one transaction: creating a fake market, manipulating the oracle, and disabling withdrawal limits.

Such well-worn attack techniques, together with the project team’s weak preventive measures, once again exposed the fragility of the DeFi sector. Based on a tweet and related interpretation by Omer Goldberg, founder of Chaos Labs, the following is a detailed analysis of the stolen process:

The first sign of the incident appeared a week ago. A week ago, Drift transferred the protocol’s admin privileges from the old multisig wallet to a new multisig wallet. The new wallet was created by one of the signers in the old multisig, but that signer did not add themselves into the new multisig wallet.

The attacker exploited this loophole. They first submitted a proposal in the old multisig to transfer Drift’s admin privileges to a new wallet controlled by the attacker.

The new multisig set up 5 signers, only 1 of whom came from the old multisig, while the other 4 were entirely new. The rules were extremely lax: approval only required 2 out of 5 people (meaning only 2 signatures were enough), and there was a 0-second timelock (the proposal executed immediately after approval, with no waiting period).

This morning around 1 a.m., the sole remaining old signer used the new multisig to submit a proposal: “Change Drift’s administrator privileges to the wallet the attacker truly controls.”

A few seconds later, another new signer immediately co-signed, effortlessly reaching the 2/5 threshold.
Because there was no timelock, the proposal executed instantly, and the attacker obtained full administrator privileges.

The attacker then immediately used the privileges to create a CVT spot market on the Drift protocol. The token’s total supply is about 750 million, and the attacker holds 600 million. Next, the attacker used the SwitchboardOnDemand oracle they controlled and configured Drift to read that oracle.

After the setup was completed, the attacker boosted the CVT token price—which was essentially nearly worthless beforehand—by making 20 transactions, making the 600 million CVT the attacker deposited appear to be worth hundreds of millions of dollars to the oracle. In this way, the attacker borrowed assets worth approximately $220–$280 million, including 41.72 million JLP (Jupiter LP token, worth about $155 million), 51.61 million USDC, 164 cbBTC (worth about $11.29 million), and others.

DeFi’s block-based modular structure was once seen as the biggest advantage of the sector. But now, that advantage has also transmitted risk to other DeFi protocols integrated with the Drifi lending market in Solana, like dominoes.

Jupiter was the biggest victim of this security incident. The most JLP stolen was the core LP asset of the Jupiter perpetual contract market. This theft will cause liquidity in the Jupiter perpetual contract market to drop significantly, and it will also trigger cascading reactions such as panic withdrawals of funds and a decline in the JUP token.

In addition, more than 15 DeFi protocols—including Perena, Project 0, Exponent, Carrot, Ranger, PiggyBank, Reflect, Project 0, Elemental, Neutral Trade, Pyra, Fuse, Neutral Trade, and XPlace—posted statements confirming that they were affected by the Drift theft, and some withdrawal functions have been paused.

But among all security incidents, the most affected are still the users. Repeated hacker events keep shaking users’ confidence in DeFi.

“Today I’m not doing anything else. I’ll take all the funds from all on-chain old projects. For new projects, unless I specifically understand them, I won’t let them in either. It’s a troublesome time—don’t test human nature.” After losing more than $6,000 in this incident, the well-known KOL “Tao Australia Senior Brother” posted this.