The DeFi lending protocol Drift was hacked for over $200 million in just 10 seconds, affecting more than 15 projects

Author: Gu Yu, ChainCatcher

Around 1 AM today, a massive theft incident occurred again in the DeFi space, where the Solana lending protocol Drift was attacked by hackers, resulting in over $220 million in user assets being stolen within ten seconds.

After the incident, the Drift token dropped over 40% in a short time, with the current FDV around $44 million. Due to the involvement of many assets in the Solana ecosystem, tokens in the Solana space such as SOL and JUP experienced varying degrees of abnormal declines.

Previously, Drift was one of the largest lending protocols in the Solana ecosystem. According to RootData, the protocol has raised over $52 million, with investors including top VCs like Multicoin Capital, Polychain, Robot Ventures, Blockchain Capital, Ethereal Ventures, and Jump Capital.

According to public analysis, this theft of Drift is closely related to the illegal acquisition of control over the multi-signature address, combined with common attack methods such as governance attacks and oracle attacks. The attacker used a single signature key to complete all operations in one transaction: creating a fake market, manipulating the oracle, and lifting withdrawal restrictions. Among them, the possibility of insider involvement in the leakage of the multi-signature address private key exists.

The frequently seen attack methods, along with the project's weak preventive measures, once again expose the vulnerabilities in the DeFi space. Based on a tweet and related interpretations from Chaos Labs founder Omer Goldberg, here is a detailed analysis of the theft process:

The initial signs of the incident occurred a week ago when Drift migrated the management authority of the protocol from an old multi-signature wallet to a new multi-signature wallet. This new wallet was created by one of the signers from the old multi-signature wallet, but that signer did not add themselves to the new multi-signature wallet.

The attacker seized this vulnerability, first initiating a proposal in the old multi-signature to transfer Drift's administrative rights to a new wallet (controlled by the attacker).

The new multi-signature was set up with five signers, only one of whom was from the old wallet, while the other four were entirely new. The rules were extremely lenient: only 2 out of 5 needed to agree (meaning only 2 signatures were enough), and there was a 0-second time lock (the proposal was executed immediately without any waiting period).

In the early hours of today, the only remaining old signer proposed in the new multi-signature: "Change Drift's administrative rights to the wallet truly controlled by the attacker."

Seconds later, another new signer immediately co-signed, easily reaching the ⅖ threshold. Because there was no time lock, the proposal was executed instantly, granting the attacker complete administrative rights.

Subsequently, the attacker immediately used their authority to create a CVT spot market in the Drift protocol, with a total supply of about 750 million tokens, of which the attacker held 600 million. The attacker then used their controlled SwitchboardOnDemand oracle and configured Drift to read from that oracle.

After completing the operation, the attacker raised the price of the previously nearly worthless CVT token through 20 transactions, making the 600 million CVT they deposited appear to be worth hundreds of millions of dollars according to the oracle. As a result, the attacker borrowed assets worth about $220 - $280 million, including 41.72 million JLP (Jupiter LP token, worth about $155 million), 51.61 million USDC, and 164 cbBTC (worth about $11.29 million).

The modular structure of DeFi was once seen as the greatest advantage of the field, but now this advantage has also transmitted risks to other DeFi protocols integrated into the Drift lending market in the Solana space like a domino effect.

Jupiter is the biggest victim affected by this security incident, with the most stolen JLP being the core LP asset of the Jupiter perpetual contract market. This theft will significantly reduce the liquidity of the Jupiter perpetual contract market and trigger panic withdrawals and a decline in the JUP token, among other chain reactions.

In addition, over 15 DeFi protocols including Perena, Project 0, Exponent, Carrot, Ranger, PiggyBank, Reflect, Elemental, Neutral Trade, Pyra, Fuse, and XPlace have confirmed varying degrees of impact from the Drift theft incident, with some withdrawal functions already suspended.

However, among all security incidents, the most affected are still the users, as the continuous hacking events repeatedly shake users' confidence in DeFi.

"Today I'm not doing anything else, I'm withdrawing all funds from all old projects on-chain, and for new projects, unless I know them particularly well, I'm not investing either. It's a tumultuous time, don't test human nature." After losing over $6,000 in this incident, well-known KOL Tu Ao Da Shi posted this statement.