Drift Protocol, a Solana-based decentralized exchange, reported a roughly $280 million exploit it called a “highly sophisticated operation.” According to the team’s preliminary findings, attackers abused Solana’s durable nonces — a feature that permits pre-signed, delayed, or off-line transactions — to obtain unauthorized administrative access and rapidly drain funds. Drift immediately paused deposits and withdrawals and began coordinating with security firms, bridge operators and exchanges after detecting the breach.
The theft, which started on Wednesday, involved multiple tokens including Circle’s USDC and a range of altcoins. On-chain tracking showed the exploiter converted most of the stolen assets into USDC and later bridged the funds to Ethereum. By the time public reporting captured the movements, the attacker had reportedly acquired about 130,262 ETH (roughly $267 million).
This incident is notable because it appears to hinge on the legitimate durable-nonce transaction mechanism rather than a conventional smart-contract bug. Durable nonces allow transactions to bypass standard expiry windows and support pre-signed transactions for future execution, offline signing, and complex multisig workflows. Drift said the attacker used durable-nonce-based pre-signed transactions to gain admin privileges and carry out malicious operations almost immediately after submission. While durable nonces are not commonly the sole cause of major exploits, developers have warned that delayed-execution features add complexity and can heighten risk if misused or combined with other vulnerabilities.
The hack has renewed scrutiny of Circle, the issuer of USDC. On-chain investigators and sleuths pointed out that the exploiter took several hours to swap nearly $270 million into USDC before bridging those funds to Ethereum, suggesting Circle had a window in which it might have frozen the tokens. Critics contrasted Circle’s response with past incidents where certain wallets were blacklisted. Industry observers cautioned, however, that while Circle has the technical ability to freeze USDC under some circumstances, it is not always legally or operationally obliged to do so. Some commentators also noted that proposed regulatory frameworks, such as the GENIUS Act, could alter when and how centralized issuers are required to intervene.
The episode has reignited a broader debate over the role of centralized entities during blockchain attacks. Investigator ZachXBT and others have publicly questioned Circle’s choices in recent incidents; Circle CEO Jeremy Allaire has said the company acts on law enforcement requests when freezing funds. Meanwhile, analysts stress that features intended to increase transaction flexibility—like durable nonces—can create attack surfaces if not paired with robust access controls and operational safeguards.
Drift’s team continues to work with external security specialists and partners to assess the full scope of the breach, recover assets where possible, and pursue remediation. The event highlights tensions between on-chain transaction mechanics, centralized issuer responsibilities, and evolving regulatory expectations in the wake of major crypto incidents.