defirisk.co
rubric v1.7.0

Drift Protocol (Solana perpetual futures DEX): Multi-month social engineering + Solana durable-nonce pre-signing + fake-collateral-token / attacker-controlled oracle

North Korean operatives spent six months posing as a trading firm at real conferences, compromised Drift contributors' devices via a VSCode zero-day, pre-signed dormant Solana transactions, then drained $285M in 128 seconds on April 1, 2026.

Occurred 2026-04-01 Loss $285M Status closed

Summary #

Drift Protocol (Solana perpetual futures DEX) suffered a Perpetual Futures DEX on 2026-04-01, resulting in a loss of approximately $285M.

What happened #

North Korean operatives spent six months posing as a trading firm at real conferences, compromised Drift contributors' devices via a VSCode zero-day, pre-signed dormant Solana transactions, then drained $285M in 128 seconds on April 1, 2026.

Linked factors #

  • RD-F-006 — causal : Audit-deploy gap (RD-F-006 time between audit and deploy) [via dashboard_risk_factors/Exploited code newly deployed/upgraded?: Y — Security Council migrated to 2/5 threshold with zero timelock approximately 6 days before exploit] || Audit-deploy gap — alternate field name [via dashboard_risk_factors/Exploited code newly deployed/upgraded?: Y — Security Council migrated to 2/5 threshold with zero timelock approximately 6 days before exploit]
  • RD-F-007 — related : Bug bounty absent — baseline integrity gap [via dashboard_risk_factors/Bug bounty: [PENDING: no confirmed Immunefi or equivalent program found in sources]]
  • RD-F-027 — causal : ★ Single admin EOA — when value mentions key compromise [via realtime_signals/Governance/admin action: Y — Security Council threshold reduction (3/5→2/5, timelock removed) March 25–27; admin key transfer April 1]
  • RD-F-090 — illustrative : Mixer withdrawal → protocol interaction [via realtime_signals/Pre-exploit on-chain signals: CVT minted March 12 with 80% supply concentration to one address; $500 Raydium seed pool with wash-trading volume; 4 durable-nonce accounts ...]
  • RD-F-099 — illustrative : Oracle price deviation > X% from secondary source — RT signal would have fired [via realtime_signals/Oracle anomaly: Y — attacker-deployed CVT oracle (not a recognized oracle provider); price feed detectably non-canonical]
  • RD-F-101 — illustrative : Large governance proposal queued — RT signal would have fired [via realtime_signals/Governance/admin action: Y — Security Council threshold reduction (3/5→2/5, timelock removed) March 25–27; admin key transfer April 1]
  • RD-F-146 — related : New deploys in last 30 days — fresh attack surface [via dashboard_risk_factors/Exploited code newly deployed/upgraded?: Y — Security Council migrated to 2/5 threshold with zero timelock approximately 6 days before exploit]