How the Drift Protocol $285M Hack Used Durable Nonces (And How to Detect It)

How the Drift Protocol $285M Hack Used Durable Nonces (And How to Detect It)

SolGuard Security

TL;DR

The $285M Drift Protocol exploit on April 1, 2026 used a Solana feature called durable nonces — and the attack signatures were visible on-chain for 21 days before execution. This post explains how it worked and how to detect it in the future.

What is a Durable Nonce?

Normal Solana transactions expire in ~60 seconds. A durable nonce account lets you create a transaction that remains valid indefinitely — it can be signed offline today and broadcast weeks later. This is useful for hardware signing workflows, but it becomes dangerous when attackers obtain signing keys.

// Normal transaction - expires ~60 seconds
tx.recentBlockhash = await connection.getRecentBlockhash();

// Durable nonce transaction - never expires
tx.recentBlockhash = nonceAccount.nonce; // static value
tx.nonceInfo = { nonce, nonceInstruction };

How the Drift Attack Used Durable Nonces

21 days before the $285M drain, the Drift attackers:

  1. Socially engineered 2 of 5 Drift Security Council members into signing malicious transactions
  2. Used those 2 compromised keys to initialize durable nonce accounts
  3. Pre-signed admin drain transactions against those nonces, granting the attacker wallet control over all Drift vaults
  4. Left the pre-signed transactions dormant for 21 days while continuing to build trust
  5. Broadcast the pre-signed transactions on April 1 — draining $285M in under an hour

What Could Have Detected It

The on-chain signals were present 21 days before execution:

  • Durable nonce accounts initialized by admin keys — unusual pattern
  • Nonce accounts left un-advanced for days — suggests pre-signed transactions are staged
  • Attacker wallet funded via Tornado Cash bridging — known pre-exploit pattern
  • Multisig signer composition change — threshold manipulation 11 days before
  • Program upgrade authority change — 2 days before drain

Monitoring for This in the Future

SolGuard is a free Solana security monitor built specifically to catch these patterns. It watches 12 major DeFi protocols (Orca, Raydium, Jupiter, Kamino, MarginFi, Drift, Squads, Solend, Meteora, and more) for:

  • Durable nonce account creation by admin/multisig keys
  • Nonce accounts that go un-advanced for 24+ hours (suggesting staged transactions)
  • Upgrade authority changes
  • Multisig signer composition changes
  • Large admin balance outflows

Free wallet scanner: solguard-security.surge.sh — scan any Solana address for durable nonce exposure similar to what was used in the Drift attack.

Live threat feed: solguard-security.surge.sh/feed.html — shows real-time monitoring of 12 protocols.

Telegram bot: @SolGuard_Bot — free tier monitors 3 wallets with real-time alerts.

Technical Notes on Detection

The System Program on Solana emits log messages for InitializeNonceAccount and AdvanceNonceAccount instructions. A monitoring service subscribing to all logs can detect nonce creation in real-time. The key signal is when an admin key (upgrade authority or multisig) initializes a nonce without immediately advancing it — this suggests a pre-signed transaction has been created against it.

// Detecting nonce events via Solana web3.js
connection.onLogs('all', (logs) => {
  if (logs.logs.join('').includes('InitializeNonceAccount')) {
    // Alert: durable nonce created
  }
  if (logs.logs.join('').includes('AdvanceNonceAccount')) {
    // Alert: pre-signed tx submitted
  }
});

This is exactly how SolGuard works. The Drift attack had 21 days of warning time. Next time, we want to catch it in 21 minutes.

Report content on this page

Report Page

Please submit your DMCA takedown request to dmca@telegram.org