DeFi lending protocol Drift was hacked in 10 seconds, resulting in over $200 million stolen, affecting more than 15 projects.

Author: Gu Yu, ChainCatcher

Around 1 a.m. this morning, a large-scale theft incident struck the DeFi space again. Solana lending protocol Drift was attacked by hackers, and more than $8B in users’ assets was stolen by the hackers within ten seconds.

After the incident, the Drift token dropped by more than 40% in a short period of time. Current FDV is about $44 million. Because many assets in the Solana ecosystem are involved, Solana ecosystem tokens such as SOL and JUP also saw abnormal declines of varying degrees.

Drift was previously one of the largest lending protocols in the Solana ecosystem. According to RootData, the protocol has raised more than $52 million in total, with investors including top-tier VCs such as Multicoin Capital, Polychain, Robot Ventures, Blockchain Capital, Ethereal Ventures, Jump Capital, and others.

According to public analysis, this Drift theft is closely related to the illegal acquisition of control over a multisig address, and it also stacks common attack methods such as governance attacks and oracle attacks. The attacker used a single signature key to complete all operations in one transaction: creating a fake market, manipulating the oracle, and disabling withdrawal limits. Among these, the potential for an insider to commit the theft exists due to the leakage of the multisig address private key.

The all-too-common attack methods, together with the project teams’ weak preventive measures, have once again exposed DeFi’s fragility. Based on tweets and related commentary by Omer Goldberg, founder of Chaos Labs, the following is a detailed analysis of the theft process:

The first signs of the incident appeared a week ago. A week ago, Drift transferred the protocol’s administrative privileges from an old multisig wallet to a new multisig wallet. The new wallet was created by one of the signers in the old multisig, but that signer did not add themselves to the new multisig wallet.

The attacker seized this loophole. They first submitted a proposal in the old multisig to transfer Drift’s admin privileges to a new wallet (controlled by the attacker).

The new multisig set up 5 signers, only 1 of whom came from the old one, and the other 4 were all brand new. The rules were extremely lax: only 2/5 people needed to approve (meaning signatures from just 2 people were enough), and there was a 0-second time lock (the proposal executes immediately upon approval, with no waiting period).

Today early this morning, that one remaining old signer submitted a proposal with the new multisig: “Change Drift’s admin privileges to the wallet that the attacker truly controls.”

A few seconds later, another new signer immediately followed with a signature, easily reaching the 2/5 threshold.
Because there was no time lock, the proposal executed instantly, and the attacker gained full administrative privileges.

The attacker then immediately used those privileges to create a CVT spot market on the Drift protocol. The token’s total supply is about 750 million, and the attacker holds 600 million. Next, the attacker used the SwitchboardOnDemand oracle they controlled and configured Drift to read that oracle.

After the setup, using 20 transactions, the attacker pushed the price of the CVT token—previously almost worthless—upward, so that the 600 million CVT they had deposited appeared to be worth hundreds of millions of dollars, as determined by the oracle. In this way, the attacker borrowed assets worth about $220 million to $280 million, including 41.72 million JLP (Jupiter LP token, valued at about $155 million), 51.61 million USDC, 164 cbBTC (valued at about $11.29 million), and more.

The block-building style structure of DeFi was once seen as the biggest advantage in the sector. But now, this advantage has also passed risk to other DeFi protocols integrated with the Drifi lending market in Solana, like a line of dominoes falling.

Jupiter was the largest collateral victim in this security incident. The most JLP that was stolen was the core LP asset in Jupiter’s perpetual contract market. This theft will cause a sharp decline in liquidity for the Jupiter perpetual contract market and trigger chain reactions such as panic withdrawals of funds and a drop in the JUP token.

In addition, more than 15 DeFi protocols—including Perena, Project 0, Exponent, Carrot, Ranger, PiggyBank, Reflect, Elemental, Neutral Trade, Pyra, Fuse, XPlace, and others—posted statements confirming that they were affected to different extents by the Drift theft incident, and some withdrawal functions have been paused.

But among all security incidents, the biggest impact was still on users. Continuous hacking incidents repeatedly challenged users’ confidence in DeFi.

“Nothing else today—withdraw all funds from old on-chain projects; for new projects, unless you’re particularly familiar with them, we won’t accept them. It’s a troublesome time—don’t test human nature.” After suffering losses of over $6,000 in this incident, the well-known KOL “Tao Australia Master Brother” posted as such.