Drift explains $280M exploit as critics question Circle over USDC freeze

Drift Protocol, a Solana-based decentralized speech (DEX), confirmed Thursday it was targeted successful a astir $280 cardinal exploit, describing it arsenic a “highly blase operation.”

The level took to X connected to stock its findings from a preliminary investigation, saying that the attackers exploited Solana’s durable nonces, a mechanics enabling pre-signed transactions, to prehend power and drain funds. The protocol had earlier said it was experiencing an progressive onslaught and suspended deposits and withdrawals portion coordinating with information firms, bridges and exchanges.

The onslaught began connected Wednesday, with the theft involving aggregate assets, including Circle’s USDC (USDC) and assorted altcoins. Onchain information aboriginal showed that the exploiter swapped the bulk of assets into USDC, with the funds aboriginal bridged to Ethereum.

The incidental has attracted scrutiny not lone due to the fact that it appears to impact maltreatment of a morganatic Solana transaction diagnostic alternatively than a plain astute declaration failure, but besides for however funds moved crossed chains for hours without being frozen, raising questions astir involution by centralized stablecoin issuers.

Source: Drift

What is Solana’s durable nonce feature?

Solana’s durable nonces are a unsocial diagnostic allowing transactions to bypass definite expiration windows and enabling users to pre-sign transactions for aboriginal execution, offline signing, oregon analyzable multisig workflows.

Drift said the attacker utilized durable nonce-based, pre-signed transactions to summation unauthorized administrative entree and execute malicious actions rapidly aft submission.

Source: Drift

Durable nonces person not been wide associated with large exploits connected their own, but developers person noted that features enabling delayed execution tin present complexity and imaginable risks if misused oregon combined with different vulnerabilities.

Questions implicit Circle’s response

The incidental has sparked disapproval of the USDC issuer Circle, arsenic the attacker took hours to swap $270 cardinal to the stablecoin earlier bridging to Ethereum.

Onchain sleuth ZachXBT and others said the institution had astatine slightest six hours to frost funds but did not act, contrasting the effect with erstwhile cases wherever wallets were blacklisted.

The Drift exploiter had bought 130,262 ($267 million) Ether successful full by publishing time. Source: Lookonchain

Some manufacture figures pointed to the spread betwixt Circle’s quality to frost funds and immoderate work to bash so.

“Circle could frost it. But they’re not required to,” pseudonymous idiosyncratic Molu wrote connected X, adding that projected regulatory frameworks specified arsenic the GENIUS Act could alteration that dynamic by requiring involution nether finalized rules.

Related: Balancer Labs shuts down 4 months aft $100M+ exploit, protocol to continue

The incidental marks yet different lawsuit successful the ongoing statement implicit involution by centralized platforms during attacks, with ZachXBT repeatedly criticizing Circle implicit the issue.

The researcher antecedently questioned Circle’s effect to USDC tied to a Bybit-related hack successful precocious February, prompting a effect from Circle CEO Jeremy Allaire, who said the institution acts connected instrumentality enforcement requests earlier freezing funds.

Magazine: Nobody knows if quantum unafraid cryptography volition adjacent work