How Solana's Largest Perp DEX Was Exploited for $285 Million

**Laura Shin** (0:00)
Hi, everyone. Welcome to Unchained. You're no hype resource for all things crypto. I'm your host, Laura Shin. Thanks for joining this live stream. Before we get started, a quick reminder. Nothing you hear on Unchained is investment advice. This show is for informational and entertainment purposes only, and my guest tonight may hold assets discussed on the show. For more disclosures, visit unchainedcrypto.com. Introducing Nexo, the premier digital wealth platform. Receive interest on your digital assets. Borrow against them without selling. Trade a variety of cryptocurrencies, all in one platform. Now available in the US. Get started today at nexo.com/unchained.
Today's topic is the Drift Protocol hack. Here to discuss is Omer Goldberg, founder and CEO of Chaos Labs. Welcome Omer.

**Omer Goldberg** (0:51)
Hi Laura, thanks for having me.

**Laura Shin** (0:54)
Solana's Drift Protocol, the largest decentralized perpetual futures exchange on the Solana blockchain was hacked for $285 million, which just for context, the protocol's total value locked before the attack was about 500 million. That was over half of the money in the protocol that was drained. That also puts this hack amongst the top 10 DeFi hacks of all time and the biggest this year thus far. The drift token dropped from over 7 cents to 3.9 cents on the news and is now trading a bit above 5 cents. So the hack was pretty multi-layered and also quite methodical, it seems. It sort of seemed chilling reading about it and it made me feel a little uneasy.
The attacker or attackers compromised the system a little while ago, actually, and then they kind of waited. So, yeah, there are things about it that seem similar to the Bybit attack. But anyway, Omer, why don't you walk us through what it was that it appears these hackers did to perpetrate this hack?

**Omer Goldberg** (2:00)
Yeah, definitely. And I really agree with what you said in the opening that it is chilling. I think we've seen a lot of hacks, unfortunately, already in this year. Many of them seem like, you know, could be someone who's potentially less experienced and gains access to some key or admin privilege and kind of takes it from there. But this one was very technical, well thought out. And from what we know today, spend at least three weeks. I can jump into kind of the end-to-end timeline or...

**Laura Shin** (2:31)
Yeah, yeah, please do.

**Omer Goldberg** (2:33)
Cool. So around, I think as of today, around 21 days ago, for, if I'm not mistaken, for the first time, Drift initiated a migration towards a Multisig. This Multisig was a 205 Multisig. Notably, it had zero time lock on any of the functions it could execute. And for listeners, what time lock means is, even though certain privileges in an application need to be signed by white listed addresses, a time lock basically says after they sign it, there's a gap between when it actually executes. And this is typically an additional security precaution to make sure that what was signed and the change enacted is indeed what you want it to be. So this happened about 20 days ago.
And in parallel to this, there was a fake token set up called CVT, completely fake, only no kind of pre-existing activity outside of this hack. And the attacker waited. I think some of the speculation was that they waited until April 1st, for April Fool's Day, so that when messages of the hack were being dispatched, there would be confusion about whether or not it was real or a prank. And pretty swiftly, within seconds, at least for the first batch, the attacker executed a series of transactions that effectively enabled them to deposit and manipulate the price of the collateral into the drift vaults and extract all of the blue chip assets. So that was like the first part of the attack. Later there's how they kind of got out, bridged out and into Ethereum. But there are at least five or six discrete steps that the attacker had to do, which for me indicates that this was not like a random person who stumbled upon the keys. They studied the program. They were methodical and strategic in how they planned everything and executed it.

**Laura Shin** (4:32)
Yeah, yeah. And we'll break down more of these steps as we go. But when I was looking at this, it really felt like the original sin here was around the admin key. So explain how it was set up and how it appears to have been compromised.

**Omer Goldberg** (4:50)
Yeah, so in contrast to last week, we were talking about the Resolv hack. And the Resolv hack was unique in the sense that there was one key that had effectively unlimited privileges to mint as much USR as they wanted, which made it easier for the hacker in terms of how many keys needed to be attained and compromised. Here, it wasn't a single key. It was a multi-sig. However, it was a two of five multi-sigs. So this is like the minimum amount of signatures that you would need in a multi-sig. So it's one step above a single key. We're still waiting for an official, I think, post-mortem. I think SQUAD have written a few updates. And as of right now, it doesn't look like that their infrastructure was compromised. They're the multi-sig provider on Solana. Drift are still in an active war room. So we don't know exactly how. Although there is speculation with the recent wave of supply chain attacks that have been kind of perpetuated and executed by Lazarus or DPRK.