Drift, a decentralised finance project built on the Solana blockchain, was hit by a hack that drained nearly US$300mil (RM1.21bil) in digital assets from the protocol, ranking it among the largest exploits in the history of crypto.
"Earlier today, a malicious actor gained unauthorised access to Drift Protocol through a novel attack involving durable nonces, resulting in a rapid takeover of Drift’s Security Council administrative powers,” Drift said in a post on X late Wednesday, adding that about US$280mil (RM1.13bil) in cryptocurrencies were stolen from the project.
Industry observers speculated the hack appeared to be a social-engineering-driven attack, similar to what happened to crypto exchange Bybit last year, which resulted in a loss of almost US$1.5bil (RM6.05bil). In a typical social-engineering attack, hackers seek to manipulate users to expose passwords rather than exploiting software code flaws.
"The weakest link always remains the humans,” said Mert Mumtaz, co-founder and chief executive officer of Helius, a Solana infrastructure company. "This particular attack would’ve happened regardless of whatever chain it was on since it didn‘t involve anything but the humans leaking their credentials.”
The attack comes with the DeFi sector on the verge of gaining greater mainstream adoption, with more traditional financial institutions working with startups to bring real-world assets such as stocks, bonds and even real estate on chain.
"The Drift incident hits hard, it stings for the whole ecosystem,” wrote Lily Liu, president of Solana Foundation, on X. "Solana has come through tough spots before by shipping faster, building better, looking out for each other – and shipping safer.”
The amount of stolen cryptocurrencies from the hack makes the exploit as the ninth largest in crypto history, based on data tracked by crypto news site rekt.news.
PeckShield Inc was among the firms that initially flagged the incident. Some of the stolen cryptocurrencies were converted into USDC, a dollar-pegged stablecoin issued by Circle Internet Group Inc, based on the blockchain data, the firms said. The hackers then converted some of the stablecoins into Ether.
Drift was founded by Cindy Leow and David Lu in 2021 and it offers a variety of trading products including perpetual futures – a type of futures contracts that does not expire. Its investors include Multicoin Capital and Blockchain Capital. The accumulative volume of perpetual swap contracts on Drift stands at around US$148bil (RM596.44bil), according to DeFiLlama. – Bloomberg
