Get the latest ideas from Unchained.
Plus the best new takeaways from other top podcasts — read in minutes, not hours.
or
By continuing, you agree to podbrain's Terms and Privacy Policy.
Laura Shin hosts Omer Goldberg, founder and CEO of Chaos Labs, to discuss the devastating Drift Protocol hack that drained $285 million from Solana's largest decentralized perpetual futures exchange.
The sophisticated attack compromised over half of Drift's $500 million total value locked, making it the biggest DeFi hack of 2024 and among the top 10 largest ever. The methodical nature of the exploit, which involved a 21-day preparation period, fake token creation, oracle manipulation, and precise timing, has drawn comparisons to North Korean state-sponsored attacks.
The conversation explores the technical details of how attackers compromised admin keys, exploited Solana's durable nonce feature, and created cascading effects across 20+ integrated protocols in the Solana ecosystem.
The Methodical Three-Week Attack Timeline
21 days before execution, Drift initiated migration to a 2-of-5 multisig with zero timelock, providing attackers the administrative access needed for the exploit
Attackers created a fake CBT token and waited until April 1st, possibly to create confusion about whether hack reports were April Fool's pranks
"This was not like a random person who stumbled upon the keys. They studied the program. They were methodical and strategic" - Omer
The attack required five to six discrete technical steps executed within seconds, indicating deep protocol knowledge and careful planning
Admin Key Compromise and Supply Chain Vulnerabilities
The 2-of-5 multisig represented "one step above a single key" in terms of security, with speculation pointing to supply chain attacks through compromised packages
Recent Axios and Light LLM package compromises demonstrate how attackers gain root access to developer machines through infected open-source dependencies
A signer from the old multisig created the new one but didn't add themselves, suggesting the original signer was unaware of the compromise
The new multisig was signed by a second co-signer just one second after creation, immediately meeting the 2-of-5 threshold for execution
Oracle Manipulation Through Fake Token Creation
Attackers created CBT token with unlimited risk parameters and configured which oracle the Drift market would use for price feeds
"Created a token, spun up a fake Oracle, or like a real Oracle that was pointing to the fake pool, pumped the price" - Omer
By running fake trading volumes in the CBT pool, attackers manipulated the oracle to show hundreds of millions in collateral value
This technique mirrors the Mango Markets attack methodology, where Avi Eisenberg later contacted Chaos Labs asking to verify attack cost calculations
Solana's Durable Nonce as Attack Vector
Durable nonces allow signing transactions without time expiration, enabling attackers to prepare transactions and wait for optimal execution timing
Anatoly Yakovenko defended the feature: "There's no way to not have this feature because cold storage custodians have to have arbitrary amount of time to recover the key"
Without durable nonces, attackers would need to sign and execute within a two-minute timeframe, significantly limiting attack sophistication
Monitoring systems like PagerDuty can alert on authority transfers, but "if the pager is going off, then isn't it too late?" - Laura
Massive Ecosystem Contagion Across 20+ Protocols
Three categories of affected protocols: Drift vaults (Prime Number lost $10M, Gauntlet $6.4M), borrowing integrations like Pyra, and yield products
"This was number one in terms of discrete protocols that were affected with over 20" making it unprecedented in scope - Omer
Reflect Money, Trade Neutral, and Elemental were among yield products that lost user deposits through Drift integration dependencies
By the time teams understood what was happening, "due to the lack of monitoring and alerting infrastructure, it was already too late"
Circle's Controversial Inaction During Fund Movement
Zach XBT criticized Circle for having "six hours to freeze stolen funds" but choosing not to act as hackers used CCTP to move money
"Circle Today does have the, and they have historically blacklisted addresses" but typically only with legal mandate from law enforcement - Omer
Attackers appeared confident Circle wouldn't freeze funds, deliberately choosing USDC and CCTP protocol for the transfer
The precedent concern: "What is Circle's role? Should Circle be monitoring for all hacks?" creates complex policy questions
North Korean Attribution and Security Fingerprints
The attack shows "similarities between this and Bybit" with methodical key signing deception reminiscent of Lazarus Group techniques
"This wasn't a random dev that kind of stumbled upon these keys and decided that they would give it a go. This was very methodical" - Omer
Attribution requires tracing funds to addresses "blacklisted or suspected of being tied to the North Korean regime"
Unlike Bybit's UI manipulation, this attack went further by literally controlling the entire protocol during execution
From Unchained. Get a note like this from every new episode.