Drift reveals details of $280M security breach while Circle faces backlash over delayed USDC intervention

According to Drift, a durable nonce vulnerability facilitated the Solana-based exploit, while observers criticized the extended period stolen USDC remained unfrozen.

On Thursday, Drift Protocol, a decentralized exchange operating on the Solana blockchain, acknowledged it had fallen victim to an exploit totaling approximately $280 million, characterizing the incident as a "highly sophisticated operation."

Using its X account to disclose results from an initial forensic review, the platform revealed that malicious actors had taken advantage of Solana's durable nonces, a feature that allows for the creation of pre-signed transactions, which enabled them to assume control and extract funds. Prior to this announcement, the protocol had disclosed it was facing an ongoing assault and had halted all deposit and withdrawal operations while working alongside security experts, bridge providers and trading platforms.

Wednesday marked the beginning of the assault, during which numerous digital assets were stolen, including Circle's USDC (USDC) along with several alternative cryptocurrencies. Subsequently, blockchain analysis revealed that the perpetrator converted most of the stolen assets into USDC, which was then transferred to the Ethereum network via bridging protocols.

The security breach has drawn considerable attention not merely due to what seems to be exploitation of a standard Solana transaction capability instead of a conventional smart contract vulnerability, but additionally because of the manner in which the stolen assets traversed multiple blockchains over several hours without any freezing action, prompting inquiries regarding potential intervention by centralized stablecoin providers.

Drift Protocol exploit details — Source: Drift

What is Solana's durable nonce feature?

Within the Solana ecosystem, durable nonces represent a distinctive functionality that permits transactions to circumvent standard expiration constraints, facilitating users' ability to create pre-signed transactions intended for subsequent execution, signature generation while offline, or intricate multi-signature operational procedures.

According to Drift's analysis, the perpetrator leveraged durable nonce-enabled, pre-signed transactions to obtain improper administrative privileges and carry out harmful operations rapidly following their submission to the network.

Drift Protocol attack explanation — Source: Drift

While durable nonces have not typically been linked to significant exploits in isolation, software developers have observed that functionalities permitting postponed transaction execution may introduce additional layers of complexity and potential security hazards when improperly utilized or when paired with additional system weaknesses.

Questions over Circle's response

The security breach has generated substantial criticism directed at USDC issuer Circle, given that the malicious actor required multiple hours to exchange $270 million worth of assets into the stablecoin prior to transferring them to the Ethereum blockchain.

Blockchain investigator ZachXBT along with other observers indicated that the organization possessed a minimum of six hours during which it could have frozen the compromised funds but failed to take action, creating a stark contrast with earlier instances where digital wallets were placed on blacklists.

Drift exploiter Ether purchases — The Drift exploiter had bought 130,262 ($267 million) Ether in total by publishing time. Source: Lookonchain

Certain cryptocurrency industry participants highlighted the distinction between Circle's technical capability to freeze assets and any legal requirement compelling them to do so.

Circle could freeze it. But they're not required to,
pseudonymous user Molu wrote on X

Molu further noted that proposed legislative measures such as the GENIUS Act have the potential to alter this situation by mandating intervention once finalized regulations take effect.

This security breach represents another chapter in the continuing discussion surrounding intervention by centralized entities during cryptocurrency attacks, with ZachXBT consistently voicing criticism toward Circle regarding this matter.

The blockchain investigator had previously raised concerns about Circle's handling of USDC connected to a hack affecting Bybit in late February, which elicited a statement from Circle CEO Jeremy Allaire, who explained that the company takes action to freeze funds based on requests from law enforcement authorities.