Drift Protocol Reveals $280M Solana Exploit via Durable Nonce Attack, Sparks Criticism of Circle's USDC Freeze Response

Drift Protocol, a decentralized exchange (DEX) built on the Solana blockchain, disclosed on Thursday that it had suffered a $280 million exploit, marking one of the largest attacks in the crypto space this year. The platform attributed the breach to a sophisticated use of Solana’s durable nonces, a feature allowing pre-signed transactions, which attackers leveraged to gain unauthorized access and drain funds. The exploit began on Wednesday and involved multiple assets, including Circle’s USDC and various altcoins, with the majority of stolen funds later converted into USDC and transferred to the Ethereum network. The attack has drawn significant scrutiny for two primary reasons: first, it exploited a legitimate Solana feature rather than a direct smart contract vulnerability, and second, the stolen USDC remained unfrozen for hours, raising questions about the response of centralized stablecoin issuers. Onchain data revealed that the attacker moved $270 million in USDC across chains over a six-hour window without intervention, despite Circle’s known ability to freeze funds. Critics, including onchain investigator ZachXBT, have pointed out that this delay contrasts with previous instances where Circle acted more swiftly to block malicious transactions. Solana’s durable nonces are designed to allow transactions to bypass standard expiration windows, enabling offline signing and complex multisig workflows. However, Drift’s investigation found that attackers used this feature to execute pre-signed transactions and gain administrative control of the protocol. While durable nonces have not previously been linked to major exploits, developers have warned that delayed execution features can introduce risks if combined with other vulnerabilities. The incident has reignited debates about the role of centralized entities like Circle in responding to exploits. Some industry observers argue that while Circle has the technical capability to freeze funds, it is not legally obligated to do so. This has led to calls for regulatory clarity, with proposed frameworks like the GENIUS Act potentially requiring centralized issuers to act under certain conditions. The attack also follows similar criticism of Circle’s response to a Bybit-related hack in late February, where the company defended its actions as being based on law enforcement requests. The Drift exploit underscores the ongoing challenges in balancing innovation with security in blockchain ecosystems. As the crypto industry continues to evolve, the interplay between decentralized protocols and centralized entities remains a contentious issue, particularly when it comes to mitigating the impact of large-scale exploits.