How Solana's Largest Perp DEX Was Exploited for $285 Million
Unchained Podcast Recap
Published:
Duration: 38 min
Guests: Omer Goldberg
Summary
Solana's Drift Protocol, a major decentralized exchange for perpetual futures, was hacked for $285 million due to security weaknesses and strategic manipulation by the attacker. The incident highlighted the vulnerabilities in DeFi protocols and the need for improved security measures.
What Happened
Solana's Drift Protocol, the largest decentralized perpetual futures exchange on the Solana blockchain, suffered a massive hack resulting in a loss of $285 million. Prior to the attack, the protocol had a total value locked of about $500 million, demonstrating the significant impact of the breach.
The attacker exploited a 2-of-5 multisig with zero time lock, using a fake token named CBT to manipulate the price of collateral and extract assets. This methodical and strategic approach involved executing a series of transactions within seconds, showcasing the sophistication of the attack.
One critical vulnerability was the lack of adequate multisig and time locks on Drift Protocol's operations. A signer from the old multisig created the new one but failed to include themselves in the new role. The new multisig was quickly signed by a second cosigner, meeting the necessary threshold to execute the attack.
The attack further involved creating a market with unlimited parameters, allowing the attacker to add CBT as a new collateral asset and manipulate its price using a fake Oracle. This manipulation was part of a broader strategy that included social engineering and Oracle manipulation.
Durable nonces on Solana, which allow transactions to be signed without time expiration, were utilized by the attacker to time the exploit effectively. Anatoly Yakovenko, founder of Solana Labs, noted on Twitter that durable nonces can be monitored for alerts, although this was not done in this case.
The hack affected over 20 discrete protocols, indicating its extensive reach within the Solana ecosystem. This led to a contagion effect impacting other protocols such as vaults, borrow-lend integrations, and yield products, exacerbating the overall damage.
Circle faced criticism for not freezing the stolen funds, citing the need for legal cover to blacklist addresses. The attacker had moved funds into USCC and used the CCTP protocol, seemingly confident that the funds wouldn't be frozen.
There are similarities between this hack and a previous attack on Bybit, attributed to North Korea, which also involved deceptive key signing. Security teams are tracing the current hack's funds to check for associations with addresses linked to the North Korean regime.
Key Insights
- The Drift Protocol hack on Solana resulted in a $285 million loss, exploiting a 2-of-5 multisig with zero time lock. The protocol's total value locked was about $500 million prior to the attack, highlighting the scale of the breach.
- The attacker used a fake token and manipulated its price to extract assets, executing the transactions within seconds. This strategic approach underscores the need for robust security measures in DeFi protocols.
- Durable nonces on Solana were used to time the exploit, emphasizing the importance of monitoring these for potential threats. Anatoly Yakovenko suggested that durable nonces can be monitored for alerts, which was not implemented in this case.
- Circle's decision not to freeze the stolen funds led to criticism, as they typically require a court mandate to do so. The attacker moved the funds into USCC, using the CCTP protocol with apparent confidence that the funds would remain unfrozen.