In brief
- Researchers and experts are poring over Drift’s design, questioning whether certain design features or procedures could’ve thwarted its $285 million exploit.
- The incident shows how many DeFi projects prioritize technical security over cybersecurity hygiene, according to SVRN COO David Schwed.
- Onlookers have argued that a “time lock” would’ve given Drift the opportunity to potentially step in and prevent the attacker from siphoning the funds.
When millions of dollars in crypto are swiped from a decentralized finance protocol, tough questions often follow—and Drift Protocol’s $285 million exploit on Wednesday is no different.
The Solana-based project has been thrust into the spotlight as researchers and experts pore over its design, raising questions about whether certain design features or procedures could’ve prevented someone from pulling off one of the most lucrative DeFi attacks in the recent past.
In a post on X, Drift said a malicious actor gained unauthorized access to its platform through a “novel attack,” which granted administrative powers over Drift’s so-called security council. They added that the attack likely involved some degree of “sophisticated social engineering.”
The heist, which is among DeFi’s largest in recent history, hinged on introducing a fake digital asset on the decentralized exchange and modifying the platform’s withdrawal limits. After inflating the malicious token’s value, the attacker gained the ability to swiftly drain real liquidity from Drift by abusing borrowing mechanics.
There are indications that the exploit is linked to the Democratic People’s Republic of Korea, blockchain intelligence firm Elliptic said in a report on Thursday. They pointed to the attacker’s on-chain behavior, laundering methodologies, and network-level indicators.
With user deposits affected—and the protocol frozen as a precautionary measure—onlookers are also focusing on a core element of Drift’s design: a multisignature wallet, where signatures produced by two private keys enabled the attacker to gain sweeping powers.
Multisignature wallets represent a point of centralization for many DeFi projects, and the incident exposes the uncomfortable reality that smart contract audits can only prevent so much damage, according to SVRN COO and blockchain security expert David Schwed.
He told Decrypt that Drift has become the latest example of how services that seek to replace financial intermediaries with code are frequently reliant on small teams and points of centralization like multisignature wallets that present cybersecurity risks.
“All of the engineers today focus on the technology side of security, they’re not focusing on the people in the process,” he said. “So yes, the protocol is decentralized, but the governance of it is centralized against five people.”
‘Yet again’
Schwed compared Drift’s lapse in security to one of the most notorious DeFi hacks, where over $625 million worth of digital assets were stolen by hackers linked to North Korea in 2022. They targeted Ronin, an Ethereum sidechain developed for the hit NFT game Axie Infinity. The attack relied on gaining access to five private keys, per blockchain security firm Chainalysis.
While blockchain analysts see the fingerprints of a nation-state, others argue the precision of the attack suggests a more intimate knowledge of the protocol. Schwed doubted that hackers linked to North Korea were involved in the hack against Drift because it feels like the attacker, possibly an insider, “knew who to target.”
Onlookers have speculated that a “time lock” could’ve prevented the exploit from taking place so quickly. The smart contract feature restricts the execution of transactions or access to funds until a specific future time is reached, potentially providing Drift’s team with a window to step in.
“Time locks are helpful for gaining time to react to such an attack, and would have helped here—but that is not the root cause,” Stefan Byer, managing partner at Oak Security, told Decrypt. “The biggest issue was that—yet again—a privileged key was compromised.”
Still, Dan Hongfei, founder and chair of Neo Blockchain, argued that protocols like Drift that house millions of dollars in funds should not be instantly drainable.
In a post on X, he said time locks tied to critical actions like listing high-risk assets must be enforced to “prevent an attacker from completing the entire exploit chain within seconds.”
The sentiment was echoed by Or Dadosh, founder of crypto security infrastructure provider Venn Network. He also pointed to automatic circuit breakers, which enable projects to instantly pause operations if abnormal outflow velocity or volume thresholds are breached.
Several security experts wagered that Drift wouldn’t be the last DeFi project to suffer an exploit like the one that occurred on Wednesday. They noted that bad actors are increasingly turning to AI, using algorithms to gain a comprehensive understanding of their next target.
“We’ve reached a level where a bad actor can spoof your mother’s voice on a phone call,” Dadosh told Decrypt. “We live in a new age where financial attacks can surface in places and formats we couldn’t have even imagined a year ago.”