DeFi lending protocol Drift was hacked in 10 seconds, resulting in over $200 million stolen, affecting more than 15 projects.

Author: Gu Yu, ChainCatcher

Around 1 a.m. this morning, a major-scale theft incident occurred again in the DeFi space. The Solana lending protocol Drift was attacked by hackers, and in just ten seconds, more than $220 million in users’ assets were stolen.

After the incident, the Drift token dropped by more than 40% in a short period of time. Its current FDV is about $44 million. Because many assets in the Solana ecosystem were involved, Solana-area tokens such as SOL and JUP also saw abnormal drops of varying magnitudes.

Drift had previously been one of the largest lending protocols in the Solana ecosystem. According to RootData, the protocol’s cumulative funding amount exceeded $52 million. Investors include top-tier VCs such as Multicoin Capital, Polychain, Robot Ventures, Blockchain Capital, Ethereal Ventures, Jump Capital, and others.

According to public analysis, this Drift theft is closely related to the illegal acquisition of control over a multisig address. At the same time, it was compounded by common attack methods such as governance attacks and oracle attacks. The attacker used a single signed key to complete all operations in one transaction: creating a fake market, manipulating the oracle, and disabling withdrawal restrictions. Among them, there is a possibility that the private key leak of the multisig address was carried out by an insider.

Time and again, such attack methods—together with weak preventative measures from the project team—have once again exposed the fragility of the DeFi sector. According to a tweet by Omer Goldberg, founder of Chaos Labs, and related commentary, the following is a detailed analysis of the stolen process:

The first signs of the incident appeared a week ago. A week ago, Drift transferred the protocol’s administrative permissions from the old multisig wallet to a new multisig wallet. This new wallet was created by one of the signers from the old multisig, but that signer did not add themselves into the new multisig wallet.

The attacker took advantage of this loophole and first submitted a proposal in the old multisig to transfer Drift’s administrator permissions to a new wallet controlled by the attacker.

The new multisig set up 5 signers, with only 1 coming from the old one; the other 4 were entirely new. The rules were extremely lenient: approval required only 2/5 people (meaning just two people signing was enough), and there was a 0-second time lock (the proposal was executed immediately upon passing, with no waiting period).

This morning, the only remaining old signer used the new multisig to submit a proposal: “Change Drift’s administrator permissions to the wallet that the attacker truly controls.”

A few seconds later, another new signer immediately co-signed, easily reaching the 2/5 threshold. 
 Because there was no time lock, the proposal executed instantly, and the attacker obtained full administrator permissions.

After that, the attacker immediately used those permissions to create a CVT spot market on the Drift protocol. The token’s total supply is about 750 million, and the attacker holds 600 million. Next, the attacker used the SwitchboardOnDemand oracle they controlled and configured Drift to read that oracle.

After the operation was completed, through 20 transactions, the attacker pumped the CVT token price—originally nearly worthless—so that the 600 million CVT they had deposited appeared to be worth hundreds of millions of dollars, even billions of dollars, in the oracle’s view. As a result, the attacker borrowed assets worth approximately $220 million to $280 million, including 41.72 million JLP (Jupiter LP token, worth about $155 million), 51.61 million USDC, 164 cbBTC (worth about $11.29 million), and others.

The Lego-like modular structure of DeFi was once seen as the sector’s biggest advantage. But now, this advantage has also passed risk to other DeFi protocols integrated with the Drifi lending market in Solana, like dominoes.

Jupiter was the biggest victim affected by this security incident. The most JLP stolen was the core LP assets from the Jupiter perpetual contract market. This theft will cause a significant drop in liquidity in the Jupiter perpetual contracts market, and will trigger chain reactions such as panicked withdrawals of funds and the JUP token falling.

In addition, more than 15 DeFi protocols—including Perena, Project 0, Exponent, Carrot, Ranger, PiggyBank, Reflect, Elemental, Neutral Trade, Pyra, Fuse, and XPlace—posted to confirm that they were affected to varying degrees by the Drift theft incident, and some withdrawal functions have already been paused.

But among all security incidents, the biggest impact is still on users. Repeated hacking incidents continue to shake users’ confidence in DeFi.

“Nothing else today—withdraw all funds from all old on-chain projects, and for new projects, unless you really understand them, we won’t allow them either. These are troubling times—don’t test human nature.” After losing more than $6,000 in this incident, the well-known KOL “Taoao Dashi” posted this.