Defending Against Durable Nonce Attacks: Lessons from the $285M Drift Protocol Heist
Introduction
On April 1, 2026, the Solana-based decentralized exchange Drift Protocol suffered a catastrophic security breach, resulting in the loss of approximately $285 million. While the monetary value is staggering, the attack vector—a novel exploit involving "durable nonces" combined with social engineering—represents a significant evolution in how threat actors target Web3 infrastructure. For defenders and security teams, this incident highlights that the most sophisticated exploits often begin with the simple manipulation of human trust, bypassing technical safeguards by abusing legitimate protocol features. Understanding how "durable nonces" were weaponized is critical for protecting organizations managing digital assets or blockchain infrastructure.
Technical Analysis
The incident involved a threat actor gaining unauthorized access to Drift Protocol’s administrative "Security Council" powers. The attacker utilized a technique known as a "durable nonce" attack.
In the Solana architecture, a nonce is a unique number used for transaction authentication to prevent replay attacks. A "durable nonce" is a specific type of account that allows a transaction to be signed offline and remain valid for an extended period, or until the specific nonce is advanced. This is typically used for off-chain signing and complex transaction orchestration.
In this attack, the malicious actor likely socially engineered a developer or key holder into signing a transaction that appeared benign but contained a durable nonce authorization. Once the victim signed the transaction, the attacker was able to utilize the durable nonce to inject malicious instructions—specifically transferring control of the Security Council—effectively overriding standard security checks. This allowed the attacker to drain liquidity pools. The attack leverages legitimate functionality (durable nonces) for malicious purposes, making it difficult to detect via standard signature verification alone.
Defensive Monitoring
Detecting and preventing these attacks requires a multi-layered approach focusing on endpoint security where signing occurs, and network telemetry identifying C2 infrastructure associated with groups like the DPRK (Lazarus Group).
SIGMA Rules
---
title: Potential Solana CLI Administrative Change Execution
id: 7c9e8f10-2b3a-4c5d-9e0f-1a2b3c4d5e6f
status: experimental
description: Detects the execution of Solana CLI tools often used for administrative changes or nonce management, which could indicate post-compromise activity in Web3 environments.
references:
- https://docs.solana.com/cli
author: Security Arsenal
date: 2026/04/02
tags:
- attack.execution
- attack.t1059.004
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\solana.exe'
CommandLine|contains:
- 'nonce'
- 'set-authority'
- 'upgrade'
- 'grant'
falsepositives:
- Legitimate developer administration of Solana programs
level: medium
---
title: Suspicious PowerShell EncodedCommand Pattern
id: a1b2c3d4-e5f6-4a5b-8c9d-0e1f2a3b4c5d
status: experimental
description: Detects PowerShell execution using EncodedCommand, a common technique in social engineering payloads to obfuscate malicious scripts targeting crypto personnel.
references:
- https://attack.mitre.org/techniques/T1059/001/
author: Security Arsenal
date: 2026/04/02
tags:
- attack.execution
- attack.t1059.001
- attack.obfuscation
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\powershell.exe'
CommandLine|contains:
- '-Enc'
- '-EncodedCommand'
- 'FromBase64String'
falsepositives:
- Legitimate system administration scripts
level: high
KQL Queries
The following KQL queries can be used in Microsoft Sentinel to identify potentially suspicious activity related to Web3 development environments or social engineering payloads.
// Hunt for unusual PowerShell execution patterns often used in phishing
DeviceProcessEvents
| where Timestamp > ago(7d)
| where ProcessVersionInfoOriginalFileName =~ "powershell.exe"
| where ProcessCommandLine contains "-Enc" or ProcessCommandLine contains "-EncodedCommand"
| project Timestamp, DeviceName, AccountName, ProcessCommandLine, InitiatingProcessFileName
| limit 100
// Identify execution of blockchain CLI tools on corporate endpoints
DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName in~ ("solana.exe", "truffle.cmd", "hardhat.cmd", "geth.exe", "anvil.exe")
| project Timestamp, DeviceName, FolderPath, ProcessCommandLine, AccountName
| extend ExecutableHash = SHA256
Velociraptor VQL
These Velociraptor hunts help defenders identify if developer workstations have been compromised or are running suspicious Web3 management tools.
-- Hunt for Solana CLI process execution with administrative flags
SELECT Pid, Name, Exe, CommandLine, Username, StartTime
FROM pslist()
WHERE Name =~ "solana"
AND (CommandLine =~ "nonce" OR CommandLine =~ "upgrade" OR CommandLine =~ "authority")
-- Search for recent PowerShell script logs that may indicate phishing execution
SELECT FullPath, Mtime, Size, Data
FROM glob(globs="C:\Users\*\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt")
WHERE Data =~ "FromBase64String" OR Data =~ "IEX"
PowerShell Verification Script
Use this script to audit the presence of Web3 CLI tools on developer endpoints, which should be restricted to specific build environments.
# Audit script for Web3 CLI tools
Write-Host "Auditing for Web3 CLI tools..."
$paths = @(
"$env:USERPROFILE\.cargo\bin",
"$env:APPDATA\npm",
"C:\Program Files\nodejs",
"C:\Program Files\Git\bin"
)
$tools = @("solana.exe", "hardhat.cmd", "truffle.cmd")
$found = @()
foreach ($path in $paths) {
if (Test-Path $path) {
foreach ($tool in $tools) {
$fullPath = Join-Path $path $tool
if (Test-Path $fullPath) {
$found += $fullPath
Write-Host "[!] Found: $fullPath" -ForegroundColor Yellow
}
}
}
}
if ($found.Count -eq 0) {
Write-Host "No standard Web3 CLI tools found in user paths." -ForegroundColor Green
} else {
Write-Host "Audit complete. Review findings." -ForegroundColor Cyan
}
Remediation
To protect against durable nonce attacks and similar social engineering threats, organizations should implement the following defensive measures:
-
Strict Transaction Policies: Disable or strictly limit the use of durable nonces for high-privilege accounts. If they must be used, implement a policy where every transaction involving a durable nonce requires multi-party approval (M-of-N multisig).
-
Developer Workstation Isolation: Isolate machines used for signing transactions. These workstations should be dedicated "air-gapped" or strictly controlled environments with no email access or web browsing capabilities to prevent social engineering entry.
-
Allowlist Signing Actions: Implement hardware wallet policies (e.g., using Ledger or HSMs) that only allow specific, pre-approved transaction types or scripts. Ensure that the firmware verifies the full details of the transaction, including the nonce state.
-
Simulate Before Signing: Utilize tools that simulate the transaction state changes before the user is asked to sign. This allows the signer to verify that the transaction does what is intended (e.g., transfer ownership) rather than containing hidden instructions.
-
Security Training: Conduct specific training for developers and key holders regarding the risks of "durable nonces" and the necessity of verifying the intent of a transaction, not just the origin.
Related Resources
Security Arsenal Managed SOC Services AlertMonitor Platform Book a SOC Assessment soc-mdr Intel Hub
Is your security operations ready?
Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.