The Drift Exploit: When Privileged Access Has No Limits

On April 1, Drift Protocol - the largest perpetual futures exchange on Solana - was drained of roughly $285M in less than 12 minutes. It is governed by a Security Council multisig, a standard DeFi pattern in which multiple signers must approve sensitive actions.
‍

The attack combined social engineering, durable nonce transactions, privileged access, malicious market configuration, and rapid extraction of real assets against fabricated collateral. The attack did not include a contract bug. 
‍

The attack unfolded in several stages.
‍

Preparing Synthetic Collateral

‍

Before interacting with Drift, the attacker prepared the asset that would later be used in the drain.

A token called CarbonVote Token (CVT) was created, with roughly 750 million tokens minted and about 600 million controlled by the attacker. A small Raydium liquidity pool was seeded and the attacker used wash trading over several weeks to build a credible price history near $1. This step matters because the protocol does not evaluate whether an asset has real economic backing. It evaluates the inputs it is given: price feeds, liquidity signals, collateral parameters, and account health. If a new asset is accepted as collateral, and the protocol sees a price feed that looks valid, that asset can become borrowable collateral even if the underlying value is fabricated.
‍

Staging Execution with Durable Nonces

‍

Between March 23 and March 30, four durable nonce accounts were created. Two were tied to Drift Security Council members, and two were attacker-controlled.
‍

Durable nonces allow a transaction to be signed in advance and executed later, rather than expiring quickly with a recent blockhash. In this case, that feature was used to separate the signing moment from the execution moment.

Legitimate signers were induced to pre-sign nonce-bound transactions. That gave the attacker signed, executable transaction paths that could be used later without requiring real-time approval.
‍

Reaching Privileged Access

‍

Around March 27, Drift’s Security Council was migrated to a new 2-of-5 multisig. Critically, the new configuration had a 0-second timelock that eliminated any delay that would have allowed detection or intervention before a privileged action could take effect. Only one signer carried over from the previous council; the other four were new.

‍

By March 30, the attacker had obtained enough effective approvals across the old and new signer sets to reach 2-of-5 authority in the updated council before execution day.
‍

Reconfiguring the Protocol

‍

At ~16:05 UTC on April 1, the execution phase began. Two pre-signed durable nonce transactions were submitted four Solana slots apart. The first created and approved a malicious admin transfer, the second approved and executed it. Together they transferred administrative control.

‍

Once admin control was in place, the attacker moved immediately: a new spot market was created for CVT with parameters tuned for maximum extractability, maintenance requirements were set low enough to make the collateral highly extractable, and withdrawal circuit breakers were raised by 20x or more across five real asset markets (USDC, wETH, dSOL, JLP, and cbBTC) removing every withdrawal safeguard simultaneously.
‍

Converting Fake Value into Real Assets

‍

The attacker deposited 500 million CVT as collateral. Because the oracle priced CVT at roughly $1 based on the manufactured trading history, the protocol treated this as approximately $500 million in legitimate collateral. The attacker then executed 31 rapid withdrawals, draining real assets across multiple markets. The JLP vault went from 41.7 million JLP to 133 JLP remaining.

‍

At this point, the risk engine was not protecting the protocol. It was enforcing the state it had been given. Once the attacker controlled the privileged inputs, the protocol’s own collateral and withdrawal logic enabled the drain.
‍

Moving the Funds

‍

After the drain, funds were routed through Jupiter, bridged cross-chain via deBridge and Wormhole to Ethereum, converted into ETH, and dispersed across multiple addresses. The speed of the laundering phase (most stolen assets were bridged within hours) underscores how limited post-incident intervention is when pre-transaction controls are absent.

‍

The speed of the laundering phase underscores how short the response window was once the drain started, and how limited post-incident intervention is when pre-transaction controls are absent.
‍

What Failed

‍

The Drift exploit was not a single-call failure. It was a sequence of valid privileged actions that created an unsafe system state:

‍

• a new asset was introduced
• that asset was given a credible onchain price
• that price was turned into collateral power
• withdrawal protections were relaxed
• real assets were withdrawn against fabricated value

‍

What Stronger Controls Would Have Looked Like

‍

A stronger design would not rely only on signer validity. It would also enforce hard limits on what privileged operations are allowed to do.

‍

Each aspect of the Drift exploit passed through a gap where a hard control could have stopped the sequence:

‍

• New collateral markets must satisfy objective requirements around oracle source, liquidity depth, collateral weights, and maintenance thresholds before they can be enabled (blocking where a token backed by tiny amounts of liquidity was given full collateral power)
  ‍
• Authority changes must require explicit approval and should not be hidden inside broad admin flows (blocking where a Security Council migration to a 0-second timelock with 4 new signers created the exploitable gap without triggering independent review)
  ‍
• Withdrawal protections should not be raised across multiple important markets in a single step beyond tightly bounded limits (blocking where circuit breakers on USDC, wETH, dSOL, JLP, and cbBTC were all raised to extreme levels in one sequence, removing all withdrawal safeguards simultaneously)
  ‍
• Durable nonce usage should be restricted for high-impact admin actions, or those actions should be forced through additional review and delay (blockingwhere pre-signed transactions separated the moment of signing from the moment of execution by over a week, turning legitimate approvals into a deferred attack payload)
  ‍
• Sensitive changes should be staged, so market creation, risk parameter changes, and withdrawal-limit changes cannot all happen in one uninterrupted path (blocking where admin takeover, CVT listing, collateral configs, circuit breaker changes, and 31 withdrawals all completed within 12 minutes with no enforced separation between them)
  ‍

These are not process improvements, they are hard controls on protocol behavior.

‍
‍

How This Could Have Been Prevented with Hypernative Guardian

‍

This is the kind of hack Guardian is meant to prevent.

‍

The key issue in Drift was not only that privileged access was reached. The bigger issue was that once access was reached, there were too few constraints on what could be done with it.

‍

Guardian adds that extra layer.

‍

With Hypernative Guardian, protocols can define and enforce DeFi-native policies around privileged actions and protocol configuration. Those policies are enforced onchain, not left to signer judgment or manual review.

Guardian policies are not abstract principles. They are configurable rules that teams define and Guardian enforces onchain. Here is what a policy set designed for an attack like Drift would look like in plain language:
‍

• New market listing policy: Block any new spot market where the backing oracle has fewer than 7 days of continuous price history, the underlying liquidity pool holds less than $500,000, or the initial asset weight exceeds 80%. → The CVT market had hours of wash-traded price history, $500 in liquidity, and was configured for near-unlimited borrowing power. This policy stops it before the first deposit.
  ‍
• Authority change policy: Require that any admin transfer or authority upgrade targets an address that has been on a pre-registered allowlist for at least 48 hours, and flag any authority change that occurs within 7 days of a multisig membership migration → The attacker executed the admin transfer immediately after obtaining 2-of-5 authority on a newly migrated council. This policy creates a cooling-off period that would have surfaced the anomaly before it became irreversible.
  ‍
• Risk parameter policy: Block any transaction that sets an initial asset weight above 85%, a maintenance margin requirement below 5%, or a liquidation fee below 1% on any market, and flag any parameter change that moves more than two of these values on the same market within a single transaction → The attacker configured CVT's collateral parameters for maximum extractability: asset weight set to allow near-unlimited borrowing, maintenance margin effectively zeroed out. Any one of those values in isolation would have failed this policy. Together, they would have triggered both the individual bounds check and the multi-parameter flag. This policy ensures that even a legitimately listed market cannot be quietly tuned into an extraction vehicle by stacking aggressive parameters that individually sit near the boundary but collectively create an unsafe position.
  ‍
• Blast radius policy: Block any transaction that modifies withdrawal limits on more than one market within the same execution context, or that increases any single market's withdrawal ceiling by more than 5x in a 24-hour window → The attacker raised circuit breakers across five markets by 20x or more in a single sequence. This policy forces those changes to happen separately, slowly, and with explicit re-approval at each step.
  ‍
• Stateful policy checks: Block any execution path in which a new market is created AND collateral is deposited against it AND withdrawals from other markets occur within the same session→ No individual step here is necessarily malicious on its own. A new market listing is routine. A collateral deposit is routine. A withdrawal is routine. But the combination in rapid sequence, from a newly privileged address is the signature of a drain. This is the check that single-transaction validation cannot catch. Guardian evaluates across actions, not just within them.
  ‍

Guardian’s strength is that these policies are highly configurable and DeFi-native. Teams can define them in Python or through a no-code workflow, and keep extending them over time as the protocol evolves. As more operational rules are encoded, unexpected access becomes much less useful because there are fewer ways to turn that access into a drain.
‍

What Hypernative’s Monitoring Would Surface

‍

Policies enforce limits at the moment of execution. But several stages of the Drift attack were observable days or weeks before the drain and would have been flagged by a monitoring layer configured with protocol-specific context:

‍

• Security council migration monitoring: On March 27, Drift's Security Council was migrated to a new 2-of-5 multisig with a 0-second timelock, replacing four of five signers. A monitoring rule that tracks governance configuration changes (signer membership, threshold changes, timelock modifications) would have surfaced this as a high-severity alert the moment it landed onchain. The combination of near-total signer turnover and the removal of the timelock is anomalous by any baseline. In isolation, it’ snot proof of an attack, but it is exactly the kind of governance degradation that warrants immediate human review and, where possible, an automatic pause on further privileged actions until that review is complete.
  ‍
• Admin privilege changes: The two durable nonce transactions that transferred administrative control on April 1 were the first admin authority changes on Drift in an extended period. A monitoring rule that alerts on any admin transfer, authority delegation, or upgrade, particularly when the target address has no prior interaction history with the protocol, would have fired within seconds of submission. When combined with the governance migration alert from five days earlier, the signal becomes unambiguous: two structural changes to protocol authority in under a week, the second targeting an entirely unknown address.
  ‍
• Anomalous market creation: Drift had 62 active spot markets before the attack. The creation of Spot Market #63 for a token with no meaningful liquidity history, an unrecognised oracle source, and collateral parameters outside the range of every existing market is detectable through protocol-specific monitoring. This is not a generic anomaly as it requires knowledge of what normal looks like for Drift specifically. Which oracles are trusted, what parameter ranges existing markets use, and what the typical listing cadence looks like. A monitoring rule calibrated to Drift's operational baseline would have flagged CVT's listing as an outlier across multiple dimensions simultaneously.
  ‍
• Anomalous withdrawal patterns: The 31 withdrawals that drained $285 million in under 12 minutes represent a volume and velocity pattern that has no precedent in Drift's operating history. A monitoring rule that tracks withdrawal rate, size, and concentration (particularly withdrawals from multiple vault types within a short window, or withdrawals that reduce any single vault below a defined floor) would have triggered within the first two or three transactions. By itself, this alert arrives late in the attack sequence. But paired with Guardian's blast radius and stateful combination policies, the monitoring alert becomes the backstop: if a policy misconfiguration or an edge case allows the first few withdrawals through, the monitoring layer catches the pattern before the vaults are fully drained
  ‍

The monitoring layer and the policy layer are complementary. Monitoring surfaces risk as it develops like governance changes, privilege escalations, or unusual market activity, giving teams time to investigate and respond before an attack reaches execution. Policies enforce hard limits at the point of execution, blocking unsafe state changes regardless of whether a human has reviewed the alert. Together, they close the gap that Drift's architecture left open: the weeks of observable staging that preceded the attack, and the 12 minutes of uncontrolled execution that followed.
‍

Operational Safety

‍

This matters beyond adversarial scenarios. The same policy layer that blocks an exploit path also catches the operational mistakes that happen during normal protocol management, and those happen far more often than state-sponsored attacksThat matters not only for hacks. It also matters for everyday operational safety. The same policy layer that blocks an exploit path also reduces the chance of bad market listings, unsafe parameter updates, and rushed admin actions during normal protocol operations.

‍

Consider a protocol team that is listing a new collateral market under time pressure. Without Guardian, a misconfigured asset weight or an insufficiently vetted oracle goes live the moment the transaction is signed. The risk engine enforces whatever parameters it is given, whether those parameters were set by an attacker or by a team member who made an error under deadline. With Guardian, the listing policy catches the same issues regardless of intent: the liquidity depth check fails, the oracle history requirement is not met, the collateral weight exceeds the approved range. The transaction is blocked before it reaches the protocol.

‍

Or consider a routine parameter update where a team member accidentally raises a withdrawal limit by 100x instead of 10x. Without a blast radius policy, that change takes effect immediately. With Guardian, the delta check catches the overshoot and blocks it the same way it would block an attacker making the identical change deliberately.

‍

This is what distinguishes protocol-level policy enforcement from transaction-level security. Transaction validation asks: is this specific action malicious? Policy enforcement asks: is the resulting protocol state safe? The second question catches a much wider range of problems, because it does not require the cause to be adversarial. Misconfigurations, fat-finger errors, rushed deployments, and under-tested upgrades all produce unsafe states. Guardian treats them the same way it treats an exploit because from the protocol's perspective, the outcome is identical.

‍

That is the main lesson from Drift.

‍

The problem was not only who had access. It was what that access was still allowed to do.

‍

Hypernative Guardian is built to enforce those limits before a protocol reaches an unsafe state.