The DeFi lending protocol Drift was hacked for over $200 million in 10 seconds, affecting more than 15 projects

Author: Gu Yu, ChainCatcher

Around 1 AM today, a massive theft incident occurred in the DeFi sector. The Solana lending protocol Drift was hacked, with over $220 million in user assets stolen by hackers within ten seconds.

After the incident, the Drift token dropped over 40% in a short period, with the current FDV around $44 million. Due to the involvement of many assets in the Solana ecosystem, tokens such as SOL and JUP also experienced varying degrees of abnormal declines.

Previously, Drift was one of the largest lending protocols in the Solana ecosystem. According to RootData, the protocol has raised over $52 million, with investors including top VCs like Multicoin Capital, Polychain, Robot Ventures, Blockchain Capital, Ethereal Ventures, and Jump Capital.

According to public analysis, the theft of Drift is closely related to the illegal acquisition of control over the multi-signature address, compounded by common attack methods such as governance attacks and oracle attacks. The attacker utilized a single signature key to complete all operations in one transaction: creating a fake market, manipulating the oracle, and lifting withdrawal restrictions. Among them, the possibility of insider involvement in the leakage of the multi-signature address private key exists.

The frequently seen attack methods and the project's weak preventive measures once again expose the vulnerabilities in the DeFi sector. Based on tweets and related interpretations from Chaos Labs founder Omer Goldberg, here is a detailed analysis of the theft process:

The initial signs of the incident occurred a week ago when Drift migrated the management authority of the protocol from an old multi-signature wallet to a new multi-signature wallet. This new wallet was created by one of the signers from the old multi-signature wallet, but that signer did not add themselves to the new multi-signature wallet.

The attacker seized this vulnerability and initiated a proposal in the old multi-signature wallet to transfer Drift's admin rights to a new wallet (controlled by the attacker).

The new multi-signature setup had five signers, of which only one was from the old wallet, and the other four were entirely new. The rules were extremely lenient: only 2 out of 5 needed to agree (meaning only 2 signatures were enough), and there was a 0-second time lock (the proposal was executed immediately without any waiting period).

Early this morning, the only remaining old signer proposed in the new multi-signature: "Change Drift's admin rights to the wallet truly controlled by the attacker."

Seconds later, another new signer immediately co-signed, easily reaching the ⅖ threshold. Because there was no time lock, the proposal was executed instantly, and the attacker gained complete admin rights.

Subsequently, the attacker immediately used their rights to create a CVT spot market in the Drift protocol, with a total token supply of about 750 million, of which the attacker held 600 million. The attacker then used their controlled SwitchboardOnDemand oracle and configured Drift to read from that oracle.

After completing the operation, the attacker raised the price of the nearly worthless CVT tokens through 20 transactions, making the 600 million CVT they deposited appear to be worth hundreds of millions of dollars according to the oracle. As a result, the attacker borrowed assets worth approximately $220 - $280 million, including 41.72 million JLP (Jupiter LP token, worth about $155 million), 51.61 million USDC, and 164 cbBTC (worth about $11.29 million).

The modular structure of DeFi was once seen as the greatest advantage of the sector, but now this advantage has also transferred risks to other DeFi protocols integrated into the Drift lending market in the Solana ecosystem like a domino effect.

Jupiter is the biggest victim affected by this security incident, with the most JLP stolen being the core LP asset of the Jupiter perpetual contract market. This theft will significantly reduce liquidity in the Jupiter perpetual contract market and trigger panic withdrawals and a decline in the JUP token, among other chain reactions.

In addition, over 15 DeFi protocols, including Perena, Project 0, Exponent, Carrot, Ranger, PiggyBank, Reflect, Elemental, Neutral Trade, Pyra, Fuse, and XPlace, have confirmed varying degrees of impact from the Drift theft incident, with some withdrawal functions already suspended.

However, among all security incidents, the most affected are still the users, as the continuous hacking events repeatedly shake users' confidence in DeFi.

"Today, I'm not doing anything else. I'm withdrawing all funds from all old projects on-chain. For new projects, unless I know them particularly well, I'm not investing either. It's a time of trouble; don't test human nature." After losing over $6,000 in this incident, the well-known KOL Tu Ao Da Shi posted this statement.