Drift Protocol says a “highly sophisticated” attacker drained about $280 million from its Solana-based DeFi platform after taking over key admin controls. On-chain sleuth ZachXBT is also criticizing Circle for how it handled the movement of stolen USDC during the hack.
How the Drift Exploit Unfolded
Drift explained that the attacker did not exploit a smart contract bug but instead abused governance and signing processes within its Security Council. According to the team, the attacker spent weeks preparing the operation, using a Solana feature called “durable nonce” to pre-sign transactions and trigger them later
Durable nonce accounts let users sign a transaction in advance and execute it at a later block, helping avoid failed transactions. In this case, the attacker reportedly combined these delayed transactions with stolen or misused multisig approvals, gaining control over protocol-level admin powers.
Once in charge, the attacker changed key parameters, lifted withdrawal limits, and quickly drained funds from Drift’s insurance and protocol wallets. Estimates from Drift and multiple reports put the loss at $280–285 million, making it one of the largest exploits on Solana to date.
Drift has paused deposits and withdrawals while investigators trace the stolen assets and review governance and security processes. The team says it has no evidence that seed phrases or private keys were directly stolen, and it frames the event as a targeted social engineering and admin takeover attack.
ZachXBT’s Criticism of Circle and USDC
As details of the exploit emerged, on-chain investigator ZachXBT turned attention to Circle, the issuer of USDC. He argued that Circle failed to act while tens or even hundreds of millions of USDC were moved through Circle’s own Cross-Chain Transfer Protocol from Solana to Ethereum during U.S. business hours.
Reports say the attacker bridged a large share of the stolen USDC across chains using CCTP, with no Circle freeze during the crucial hours. Critics note this stands in sharp contrast to a separate case days earlier, when Circle rapidly froze USDC in 16 business wallets tied to a sealed U.S. civil action, later partially reversing that decision.
ZachXBT and other commentators say the difference between the two responses raises questions about how and when Circle uses its freeze powers. They argue that inconsistent enforcement can both undermine trust in USDC and leave users guessing about the real protections available during major hacks.
READ MORE: NEAR Protocol Drops as Analysts Target $1.95 Recovery Zone
