Drift Protocol Compromise: Solana Durable Nonce Attack & DPRK Social Engineering

Introduction

On April 1, 2026, the Solana-based decentralized exchange (DEX) Drift Protocol suffered a catastrophic security breach resulting in the theft of approximately $285 million. This incident is not merely a smart contract vulnerability; it is a sophisticated operation attributed to the Democratic People's Republic of Korea (DPRK), combining social engineering with a deep technical abuse of the Solana runtime's "durable nonce" feature. Attackers successfully gained unauthorized access to the protocol's administrative governance, allowing them to drain liquidity pools almost instantly. For defenders managing Web3 infrastructure or high-value treasury operations, this event serves as a stark warning: the compromise of a privileged developer or council member can bypass even robust on-chain logic.

Technical Analysis

Affected Products & Platforms:

Protocol: Drift Protocol (Solana Network)
Infrastructure Component: Solana Runtime (Transaction Processing)
Target: Security Council Administrative Privileges / Treasury Wallets

Vulnerability & Attack Mechanics: While the initial vector was social engineering, the technical enabler was the abuse of Durable Nonces. In Solana, transactions typically expire shortly after being created (based on the recent blockhash). However, "durable nonces" allow a transaction to remain valid indefinitely until it is executed. This is intended for complex, multi-step off-chain workflows.

In this attack, the DPRK actors likely tricked a privileged Security Council member into signing a transaction that appeared benign or was part of a fake "audit" or "test." Because the transaction used a durable nonce, the attackers possessed a fully valid, signed authorization that did not expire. They were then able to manipulate the on-chain state or replay the signed authorization to upgrade the program or transfer administrative powers, effectively seizing control of the protocol's "Security Council." Once administrative access was secured, the attackers executed drain functions on the liquidity pools.

Exploitation Status:

Confirmed Active Exploitation: Yes (Funds drained on April 1, 2026)
Attribution: DPRK (North Korea) threat actors, known for targeting DeFi bridges and protocols.

Detection & Response

The compromise of Web3 infrastructure often begins at the endpoint—the developer workstation or the validator node. The following detection logic focuses on identifying the abuse of the Solana CLI (Command Line Interface) for durable nonce operations, which are rare in standard operations but critical in this attack chain.

SIGMA Rules

YAML

---
title: Drift Protocol Compromise - Solana CLI Durable Nonce Usage
id: 8a4f2c91-1b3d-4e5f-9a0b-2c3d4e5f6a7b
status: experimental
description: Detects the usage of the Solana CLI with durable nonces, a technique used in the Drift Protocol exploit to maintain persistent transaction validity for administrative takeover.
references:
  - https://thehackernews.com/2026/04/drift-loses-285-million-in-durable.html
author: Security Arsenal
date: 2026/04/02
tags:
  - attack.execution
  - attack.t1059.004
logsource:
  category: process_creation
  product: linux
detection:
  selection:
    Image|endswith: '/solana'
    CommandLine|contains:
      - '--nonce'
      - '--durable-nonce'
      - 'nonce-account'
  condition: selection
falsepositives:
  - Legitimate developer testing of durable transactions (rare in production)
level: high
---
title: Suspicious Solana Program Upgrade Authority Change
id: 9b5g3d02-2c4e-5f6a-0b1c-3d4e5f6a7b8c
status: experimental
description: Detects attempts to set upgrade authority for Solana programs, indicative of a governance takeover attempt like the Drift incident.
references:
  - https://thehackernews.com/2026/04/drift-loses-285-million-in-durable.html
author: Security Arsenal
date: 2026/04/02
tags:
  - attack.privilege_escalation
  - attack.t1068
logsource:
  category: process_creation
  product: linux
detection:
  selection:
    Image|endswith: '/solana'
    CommandLine|contains:
      - 'set-upgrade-authority'
      - 'upgrade-program'
  condition: selection
falsepositives:
  - Authorized protocol upgrades by verified DevOps teams
level: critical

KQL (Microsoft Sentinel / Defender)

This query hunts for execution of the Solana CLI with arguments specifically related to nonces or administrative changes on Linux endpoints ingesting Syslog or CEF data.

KQL — Microsoft Sentinel / Defender

DeviceProcessEvents
| where Timestamp > ago(7d)
| where ProcessVersionInfoOriginalFileName =~ "solana" or FileName endswith "solana"
| where ProcessCommandLine has "nonce" 
   or ProcessCommandLine has "set-upgrade-authority" 
   or ProcessCommandLine has "close-program"
| extend HostName = DeviceName
| project Timestamp, HostName, AccountName, ProcessCommandLine, InitiatingProcessFileName, FolderPath
| order by Timestamp desc

Velociraptor VQL

Hunt for processes running the Solana CLI that are interacting with nonce accounts or attempting privilege escalation actions.

VQL — Velociraptor

-- Hunt for Solana CLI usage related to nonces or admin functions
SELECT Pid, Name, CommandLine, Exe, Username, CreateTime
FROM pslist()
WHERE Name =~ 'solana'
  AND (
    CommandLine =~ 'nonce' 
    OR CommandLine =~ 'set-upgrade-authority'
    OR CommandLine =~ 'upgrade'
  )

Remediation Script (Bash)

This script is intended for incident responders securing a compromised or suspected Solana validator/admin node. It kills active Solana CLI processes (if unauthorized activity is detected) and audits keypair files.

Bash / Shell

#!/bin/bash
# Incident Response Hardening for Solana Nodes post-Drift Compromise
# Usage: sudo ./drift_hardening.sh

echo "[+] Stopping unauthorized Solana CLI processes..."
# WARNING: Verify legitimate processes before killing in production
pkill -9 -f "solana.*nonce"
pkill -9 -f "solana.*set-upgrade-authority"

echo "[+] Auditing Solana Keypairs and Config..."
SOLANA_DIR="$HOME/.config/solana"

if [ -d "$SOLANA_DIR" ]; then
  echo "[!] Found Solana config directory at $SOLANA_DIR"
  echo "[+] Listing recent keypair modifications (last 24h):"
  find "$SOLANA_DIR/id." "$SOLANA_DIR/keypair" -type f -mtime -1 -ls 2>/dev/null
else
  echo "[-] No standard Solana config directory found."
fi

echo "[+] Checking for active SSH sessions (potential lateral movement):"
who -u

echo "[+] Recommendation: Rotate all Security Council keypairs and revoke durable nonces immediately."
echo "[+] Recommendation: Pause the program if governance compromise is confirmed."

Remediation

Immediate Governance Pause: If your protocol utilizes a "Security Council" or similar multi-sig/admin structure with pause functionality, invoke an emergency pause immediately to halt transfers and state changes.
Key Rotation: Assume all private keys associated with the compromised council members are burned. Generate new keypairs on air-gapped systems. Do not reuse old seeds.
Revoke Durable Nonces: Audit the blockchain state for any open durable nonces associated with administrative accounts. Revoke or invalidate these nonces by consuming them in a no-op transaction or updating the account authority if possible.
Protocol Upgrade (If applicable): If the attack leveraged a logic flaw in how the protocol handles durable nonces (e.g., lack of replay protection), deploy a patch that restricts nonce usage to specific whitelisted instructions or enforces stricter checks on administrative transactions.
Vendor Advisory: Monitor the official Drift Protocol channels and Solana Foundation advisories for specific contract upgrades or RPC configurations required to mitigate this specific vector.

Related Resources

Security Arsenal Managed SOC Services AlertMonitor Platform Book a SOC Assessment soc-mdr Intel Hub