After the $285M Drift Hack: How to Revoke Access and Check If Your Solana Wallet Is Still at Risk

After the $285M Drift Hack: How to Revoke Access and Check If Your Solana Wallet Is Still at Risk

SolGuard Security

The Drift Protocol hack on April 1, 2026 drained $285 million in 12 minutes — the largest DeFi exploit of 2026. But the attack didn't start on April 1. Pre-staging began on March 11 using a technique most Solana users have never heard of: durable nonce accounts.

If you've ever used Drift, had JLP tokens, or interacted with any Drift-adjacent protocol, you should spend 5 minutes checking your exposure. This guide explains how.

What Was Actually Stolen

  • ~$155M in JLP tokens (Jupiter Liquidity Provider) — the single largest loss
  • ~$80M in USDC
  • ~$30M in SOL
  • ~$15M in WBTC
  • Remaining in smaller SPL tokens

Attribution: TRM Labs and Elliptic both confirmed DPRK/Lazarus Group based on Tornado Cash funding origins, laundering methodology matching the 2022 Ronin bridge hack, and deployment signatures consistent with Pyongyang timezone.

The Durable Nonce Attack Vector (What Makes This Different)

Most hacks exploit a contract bug in real-time. The Drift hack was pre-staged for 21 days using Solana's durable nonce mechanism.

A durable nonce account lets you create a signed transaction that can be executed at ANY future point — days, weeks, or months later. This is used legitimately for cold wallet operations. But it was weaponized here: attackers social-engineered Drift's multisig holders into pre-signing admin transactions using durable nonces. Once signed, those transactions sat ready to execute at any time.

On April 1, the attackers triggered everything simultaneously.

Step 1: Check If You Have Active Durable Nonce Accounts

This is the highest-priority check. If your wallet has durable nonce accounts, there may be pre-signed transactions outstanding that can drain you at any time.

Free instant check (no wallet connection required):

  • SolGuard Web Scanner — paste your address, instant results
  • Telegram: @SolGuard_Bot → /nonce <your_address> — shows all nonce accounts + authority details

If any nonce accounts are found: rotate your nonce authority immediately using solana CLI: solana-keygen new and reassign authority.

Step 2: Check Your JLP Exposure

JLP (Jupiter Liquidity Provider tokens, mint: 27G8MtK7VtTcCHkpASjSDdkWWYfoqT6ggEuKidVJidD4) was the #1 stolen asset. If you hold JLP or had JLP holdings at the time of the hack:

  • Jupiter confirmed the broader JLP pool remains fully backed — the stolen JLP was from Drift's internal positions
  • Individual JLP holdings are NOT at risk from the hack itself
  • But: if you had Drift positions collateralized with JLP, those were at risk

Check your current JLP exposure: @SolGuard_Bot on Telegram → /jlp <your_address>

Step 3: Revoke Active Protocol Approvals

Solana works differently from Ethereum — there are no blanket "approvals" to revoke. But you can:

  • Close any token accounts delegated to Drift program IDs
  • Withdraw all liquidity from Drift if you still have positions
  • Revoke authority on any nonce accounts your wallet controls

Drift's main program ID: dRiftyHA39MWEi3m9aunc5MzRF1JYuBsbn6VPcn33UH

Use Phantom or Solflare's built-in token management to close associated token accounts. Or use the Solana CLI: solana close-nonce-account <nonce_account> <recipient_address>

Step 4: Monitor Going Forward

The Drift hack used weeks of pre-staging. Real-time monitoring would have detected the nonce account creation patterns.

  • @SolGuard_Bot watches your wallet for anomalies: velocity spikes, new nonce accounts, large transfers
  • Oracle manipulation detection: tracks price deviation on assets held
  • GlassWorm alerts: checks if your wallet interacted with known malware-linked addresses

Free tier: scan-on-demand. Premium ($99/month): real-time alerts + full nonce monitoring + priority notifications.

The Broader Pattern: DPRK Is Getting More Sophisticated

This was not a one-off. Q1 2026 alone: $300M+ stolen by DPRK-linked groups across 18 attacks. The Drift hack was notable for its complexity — combining:

  1. Social engineering of multisig holders (human layer)
  2. Fake token creation + oracle manipulation (protocol layer)
  3. Durable nonce pre-staging (infrastructure layer)
  4. Governance timelock bypass (security bypass layer)

No single check catches all of these. But scanning for nonce exposure and monitoring for unusual transaction patterns catches the infrastructure layer — the part that leaves traces weeks before execution.

Quick Checklist

  • ☐ Run /nonce check on your primary wallet(s)
  • ☐ Run /jlp check if you held JLP or used Drift
  • ☐ Close any Drift-related token accounts if no longer using the protocol
  • ☐ Set up real-time monitoring for wallets holding significant assets
  • ☐ Never pre-sign transactions with durable nonces unless you understand the implications

Free scanner: solguard-security-monitor.surge.sh

Telegram monitoring: @SolGuard_Bot

Stay safe out there.

Report content on this page

Report Page

Please submit your DMCA takedown request to dmca@telegram.org