- Hackers in the $285 million Drift exploit reportedly funneled $230 million via USDC, but it took Circle six hours to freeze the remaining stolen funds.
Drift Protocol (DRIFT), a Solana (SOL)-based decentralized finance (DeFi) project, confirmed that it suffered from a major exploit on Wednesday. The decentralized exchange (DEX) reportedly lost approximately $280 million to $285 million, accounting for over 50% of its total value locked (TVL), from the incident.
Key Details in the Drift Exploit
Since the event happened on April 1st, Drift had to clarify that the notice was not an April Fool’s joke. At the height of the “unusual activity” and upon launch of its investigation at around 6:00 PM (UTC), it advised users to proceed with caution and avoid depositing into the DEX.
An hour later, Drift suspended all deposits and withdrawals in an attempt to contain the attack. At that time, it wasn’t clear how much funds the hackers siphoned.
On Thursday, the numbers eventually came to light. Drift revealed that the malicious actors carried out the heist by gaining Security Council administrative powers.
Investigators suspected that the highly sophisticated operation likely took weeks of planning and staged execution. It involved a series of pre-signed durable once transactions to delay executions and multiple multisig (multi-signature) signer approvals. The latter possibly stemmed from targeted social engineering or transaction misrepresentation to trick signers.
Drift noted that the attack was not a result of a bug in its programs or smart contracts. Additionally, it denied any compromised seed phrases of its users. However, its token, DRIFT, has lost nearly 50% of its value due to the issue, falling from $0.07236 to $0.03813 in the last 24 hours.
Backlash on Circle
On-chain data later uncovered that roughly 80% of the stolen funds in the Drift exploit flowed through Circle’s stablecoin, USDC. The pseudonymous on-chain sleuth ZachXBT claimed the malicious actors bridged more than $230 million USDC via CCTP (Cross-Chain Transfer Protocol) from Solana to Ethereum (ETH). The hackers distributed them across over a hundred transactions.
The on-chain detective, alongside the broader crypto community, criticized Circle for taking about six hours to freeze the stolen funds. They emphasized that the delay occurred despite the Drift exploit being unraveled during business hours in the US at around 12 PM ET, and despite the Circle’s centralized framework, which could’ve allowed it to act sooner.
To date, Circle has neither issued an official statement regarding the Drift exploit nor responded to comments from concerned crypto users on its social media channel.
