Drift Protocol Lost $285M in 12 Minutes. The Attack Took 6 Months to Build.

The smart contracts were audited and clean. Solana's largest perp DEX still lost $285M. DPRK threat group UNC4736 spent 6 months building trust with signers before pressing go in 12 minutes.

The smart contracts were fine. The code passed every audit. The vaults drained anyway.

Drift Protocol — Solana's largest perpetual futures DEX — lost $285 million in under 12 minutes. Not because of a bug. Not because of a missed require(). Because two people clicked the wrong links at a conference, and nobody noticed until it was over.

This is what a state-sponsored crypto heist looks like up close.

They Didn't Hack the Code. They Hacked the People.

The attackers didn't start with Solidity. They started with LinkedIn profiles, conference badge lanyards, and Telegram messages that felt completely normal.

They approached Drift contributors in person at crypto events. Presented themselves as builders. Had real-looking projects, real GitHub repos, real conversations that stretched across weeks. Then at the right moment — they shared a link.

That link compromised developer devices. Those devices had signing keys. The rest was patience.

The Setup — Silent Staging Nobody Saw

Creating durable nonce accounts: Solana's durable nonce feature lets you pre-sign a transaction and submit it later — useful for cold wallets, catastrophic when an attacker uses it to get legitimate signers to approve transactions they don't fully understand.
Minting a fake collateral token: CVT — Collateral Vault Token. Worthless. Artificially priced. Built specifically to be deposited as fake collateral to borrow real assets against.
Collecting signatures: The compromised signers approved what looked like routine admin transactions. Nobody simulated what those transactions would actually do on-chain. The signatures went dormant — sitting quietly, waiting for the right moment.

The One Decision That Made Everything Possible

Drift migrated to a new Security Council multisig. And removed the timelock.

A timelock is a mandatory delay — usually 24 to 72 hours — between when an admin action is approved and when it actually executes. That gap is not a technicality. It is the last line of defense. It gives your community time to spot a malicious pending transaction and stop it before it fires.

Without the timelock: approved means executed. Instantly. Irreversibly.

The attackers already had pre-signed transactions from 2 of the 5 multisig signers. They needed a 2-of-5 threshold and zero delay. The migration handed them both at the same time.

What 12 Minutes Looked Like

First transaction fires — admin key transferred to the attacker's address. One second later — second transaction approves and executes it. Then in rapid sequence:

CVT whitelisted as valid collateral
Withdrawal limits raised across all vaults
Hundreds of millions in worthless CVT deposited
Real assets — USDC, WBTC, USDT, JLP — borrowed against fake collateral
Circuit breakers disabled. Vaults emptied.

Drift's TVL collapsed from $550M to under $250M before most users had even refreshed their screen. Stolen funds were converted via Jupiter, bridged to Ethereum, swapped into ETH. Tornado Cash handled the rest. All within hours.

What Actually Broke — The Real List

The Multisig Threshold Was Too Low

2-of-5 means you only need to compromise 2 humans to control a protocol holding half a billion dollars. The standard for any protocol above $100M TVL is 4-of-7. Drift chose operational convenience. The attackers chose 2 targets.

The Timelock Was Removed

This single decision turned a recoverable situation into an irreversible one. A 48-hour delay would have surfaced the malicious pending transactions. Without the timelock — nobody had time to do anything.

Nobody Verified What They Were Actually Signing

Durable nonce transactions look routine unless you simulate them in a fork first. The signers were told what the transactions were. They trusted that description. In a protocol managing hundreds of millions, "someone told me it was fine" is not a signing process.

Signing Keys Lived on Internet-Connected Machines

The entire compromise started with a link clicked on a device that had signing authority for a $550M protocol. The attack surface wasn't the blockchain. It was a browser tab.

The Fixes That Would Have Stopped This

4-of-7 minimum multisig threshold: Force attackers to compromise 4 independent humans, not 2.
Non-removable 48-hour timelock: On every admin action — including the migration that removes it.
Fork simulation before signing: Confirm the on-chain effect yourself. Not the description you were given. The actual fork simulation output.
Hardware wallets only: Signing keys never on machines used for Telegram, Discord, email, or browsing.
Zero link policy on signing machines: Nothing clicked. From anyone. Ever.

Drift had audited smart contracts. Drift had a multisig. Drift had a Security Council. Drift had circuit breakers. The attackers didn't touch any of it. They walked in through the front door across six months of relationship building, got two people to sign transactions they didn't fully verify, waited for the protocol to voluntarily remove its own delay mechanism, and pressed go.