Unchained · the podbrain notes ·
4 min read

How Solana's Largest Perp DEX Was Exploited for $285 Million

Laura Shin hosts Omer Goldberg, founder and CEO of Chaos Labs, to discuss the devastating Drift Protocol hack that drained $285 million from Solana's largest decentralized perpetual futures exchange.

Unchained Unchained
Subscribe to Notes Upgrade
Unchained episode thumbnail: How Solana's Largest Perp DEX Was Exploited for $285 Million
Unchained
Key Takeaways
  1. 01

    Drift Protocol was hacked for $285 million from a $500 million TVL, making it the biggest DeFi hack of 2024

  2. 02

    The attack was methodical and sophisticated, with hackers waiting 21 days after compromising admin keys before executing

  3. 03

    Attackers used a fake CBT token with unlimited parameters and manipulated oracles to drain blue chip assets

  4. 04

    Over 20 protocols were affected through vault integrations and borrowing dependencies, creating massive contagion

  5. 05

    Circle had 6 hours to freeze stolen USDC funds but chose not to act without legal mandate

  6. 06

    The hack resembles North Korean Lazarus Group techniques, particularly the methodical multi-step approach

  7. 07

    Drift's 2-of-5 multisig with no timelock enabled instant execution once two keys were compromised

  8. 08

    Supply chain attacks through compromised packages like Axios may have provided initial access to developer machines

Get the latest ideas from Unchained.

Plus the best new takeaways from other top podcasts — read in minutes, not hours.

or

By continuing, you agree to podbrain's Terms and Privacy Policy.

These notes may contain occasional inaccuracies. Learn how podbrain notes are made

Laura Shin hosts Omer Goldberg, founder and CEO of Chaos Labs, to discuss the devastating Drift Protocol hack that drained $285 million from Solana's largest decentralized perpetual futures exchange.

The sophisticated attack compromised over half of Drift's $500 million total value locked, making it the biggest DeFi hack of 2024 and among the top 10 largest ever. The methodical nature of the exploit, which involved a 21-day preparation period, fake token creation, oracle manipulation, and precise timing, has drawn comparisons to North Korean state-sponsored attacks.

The conversation explores the technical details of how attackers compromised admin keys, exploited Solana's durable nonce feature, and created cascading effects across 20+ integrated protocols in the Solana ecosystem.

The Methodical Three-Week Attack Timeline

21 days before execution, Drift initiated migration to a 2-of-5 multisig with zero timelock, providing attackers the administrative access needed for the exploit

Attackers created a fake CBT token and waited until April 1st, possibly to create confusion about whether hack reports were April Fool's pranks

"This was not like a random person who stumbled upon the keys. They studied the program. They were methodical and strategic" - Omer

The attack required five to six discrete technical steps executed within seconds, indicating deep protocol knowledge and careful planning

Admin Key Compromise and Supply Chain Vulnerabilities

The 2-of-5 multisig represented "one step above a single key" in terms of security, with speculation pointing to supply chain attacks through compromised packages

Recent Axios and Light LLM package compromises demonstrate how attackers gain root access to developer machines through infected open-source dependencies

A signer from the old multisig created the new one but didn't add themselves, suggesting the original signer was unaware of the compromise

The new multisig was signed by a second co-signer just one second after creation, immediately meeting the 2-of-5 threshold for execution

Oracle Manipulation Through Fake Token Creation

Attackers created CBT token with unlimited risk parameters and configured which oracle the Drift market would use for price feeds

"Created a token, spun up a fake Oracle, or like a real Oracle that was pointing to the fake pool, pumped the price" - Omer

By running fake trading volumes in the CBT pool, attackers manipulated the oracle to show hundreds of millions in collateral value

This technique mirrors the Mango Markets attack methodology, where Avi Eisenberg later contacted Chaos Labs asking to verify attack cost calculations

Solana's Durable Nonce as Attack Vector

Durable nonces allow signing transactions without time expiration, enabling attackers to prepare transactions and wait for optimal execution timing

Anatoly Yakovenko defended the feature: "There's no way to not have this feature because cold storage custodians have to have arbitrary amount of time to recover the key"

Without durable nonces, attackers would need to sign and execute within a two-minute timeframe, significantly limiting attack sophistication

Monitoring systems like PagerDuty can alert on authority transfers, but "if the pager is going off, then isn't it too late?" - Laura

Massive Ecosystem Contagion Across 20+ Protocols

Three categories of affected protocols: Drift vaults (Prime Number lost $10M, Gauntlet $6.4M), borrowing integrations like Pyra, and yield products

"This was number one in terms of discrete protocols that were affected with over 20" making it unprecedented in scope - Omer

Reflect Money, Trade Neutral, and Elemental were among yield products that lost user deposits through Drift integration dependencies

By the time teams understood what was happening, "due to the lack of monitoring and alerting infrastructure, it was already too late"

Circle's Controversial Inaction During Fund Movement

Zach XBT criticized Circle for having "six hours to freeze stolen funds" but choosing not to act as hackers used CCTP to move money

"Circle Today does have the, and they have historically blacklisted addresses" but typically only with legal mandate from law enforcement - Omer

Attackers appeared confident Circle wouldn't freeze funds, deliberately choosing USDC and CCTP protocol for the transfer

The precedent concern: "What is Circle's role? Should Circle be monitoring for all hacks?" creates complex policy questions

North Korean Attribution and Security Fingerprints

The attack shows "similarities between this and Bybit" with methodical key signing deception reminiscent of Lazarus Group techniques

"This wasn't a random dev that kind of stumbled upon these keys and decided that they would give it a go. This was very methodical" - Omer

Attribution requires tracing funds to addresses "blacklisted or suspected of being tied to the North Korean regime"

Unlike Bybit's UI manipulation, this attack went further by literally controlling the entire protocol during execution

Unchained
From Unchained. Get a note like this from every new episode.
Subscribe to Notes Upgrade

These notes may contain occasional inaccuracies. Learn how podbrain notes are made

0 / 0
Link copied