Drift Says Nonce Attack Drove Exploit as Circle Faces USDC Scrutiny

Drift Protocol, a Solana-based decentralized exchange (DEX), confirmed Thursday it was targeted in a roughly $280 million exploit, describing it as a “highly sophisticated operation.”

The platform took to X on to share its findings from a preliminary investigation, saying that the attackers exploited Solana’s durable nonces, a mechanism enabling pre-signed transactions, to seize control and drain funds. The protocol had earlier said it was experiencing an active attack and suspended deposits and withdrawals while coordinating with security firms, bridges and exchanges.

The attack began on Wednesday, with the theft involving multiple assets, including Circle’s USDC (USDC) and various altcoins. Onchain data later showed that the exploiter swapped the majority of assets into USDC, with the funds later bridged to Ethereum.

The incident has attracted scrutiny not only because it appears to involve abuse of a legitimate Solana transaction feature rather than a plain smart contract failure, but also for how funds moved across chains for hours without being frozen, raising questions about intervention by centralized stablecoin issuers.

What is Solana’s durable nonce feature?

Solana’s durable nonces are a unique feature allowing transactions to bypass certain expiration windows and enabling users to pre-sign transactions for future execution, offline signing, or complex multisig workflows.

Drift said the attacker used durable nonce-based, pre-signed transactions to gain unauthorized administrative access and execute malicious actions quickly after submission.

Durable nonces have not been widely associated with major exploits on their own, but developers have noted that features enabling delayed execution can introduce complexity and potential risks if misused or combined with other vulnerabilities.

Questions over Circle’s response

The incident has sparked criticism of the USDC issuer Circle, as the attacker took hours to swap $270 million to the stablecoin before bridging to Ethereum.

Onchain sleuth ZachXBT and others said the company had at least six hours to freeze funds but did not act, contrasting the response with previous cases where wallets were blacklisted.

Some industry figures pointed to the gap between Circle’s ability to freeze funds and any obligation to do so.

“Circle could freeze it. But they’re not required to,” pseudonymous user Molu wrote on X, adding that proposed regulatory frameworks such as the GENIUS Act could change that dynamic by requiring intervention under finalized rules.

Related: Balancer Labs shuts down 4 months after $100M+ exploit, protocol to continue

The incident marks yet another case in the ongoing debate over intervention by centralized platforms during attacks, with ZachXBT repeatedly criticizing Circle over the issue.

The investigator previously questioned Circle’s response to USDC tied to a Bybit-related hack in late February, prompting a response from Circle CEO Jeremy Allaire, who said the company acts on law enforcement requests before freezing funds.

Magazine: Nobody knows if quantum secure cryptography will even work