Drift said it exploits Nonce’s attack driving when faced with a round of USDC investigations.
Solana-based decentralized exchange (DEX) Drift Protocol confirmed on Thursday that it had been targeted by an exploit worth an estimated $280 million, which it described as a “highly sophisticated operation.”
The platform took to X to share the results from a preliminary investigation, saying the attackers used Solana's Unsustainable Object, a technique to manipulate pre-signed transactions and withdraw funds. The protocol says it is under active attack in coordination with security firms, bridges and exchanges, and deposits and withdrawals have been blocked.
The attack began on Wednesday, and the theft involved several assets, including Circle's USDC (USDC) and various altcoins. Onchain data later revealed that the exploit converted most of the assets into USDC, the currency later pegged to Ethereum.
The incident drew scrutiny not only because it appeared to involve abuse of legitimate Solana trading features rather than an outright smart contract failure, but also because of how funds were moved around the chain within hours without being frozen, raising questions about the intervention of central stablecoin issuers.
What is the unsustainable nature of Solana?
Solana's durable nonces is a unique feature that allows transactions to bypass certain expiration windows and allows users to sign transactions for future execution, offline signature, or complex multi-sig workflows.
Drift used persistent unsigned, pre-signed transactions to gain unauthorized administrative access and quickly execute malicious actions.
Durable nonces themselves are not widely associated with major exploits, but developers have noted that features that enable delayed performance introduce complex and potential risks if misused or combined with other vulnerabilities.
Questions on circle response
The move sparked criticism in the USDC issuing community, as the attacker took hours to convert $270 million to the stablecoin before linking it to Ethereum.
Onchain sleuth ZachXBT and others said the company had at least six hours to freeze funds but took no action, comparing the response to previous cases where wallets were blacklisted.
Some industry figures have pointed to a gap between Circle's ability to freeze funds and any obligation to do so.
“Circles can slow it down. But they don't have to,” the pseudonymous Mole wrote on X, adding that proposed regulatory frameworks like the GENIUS Act could interfere with finalized laws and change that dynamic.
Related: Balancer Labs Shuts Down 4 Months After $100M+ Exploitation, Protocol Continues
The incident marks another issue in the debate over centralized platforms' intervention during attacks, with ZachXBT repeatedly criticizing the circle on the issue.
The investigator previously submitted a request to the USDC for Circle's response to the Bybit hack in late February, to which Circle CEO Jeremy Allaire responded, saying the company would act on law enforcement requests before freezing funds.
Magazine: No one knows if quantum secure encryption even works
