From eaaffb27bf4c0b63dc2ea92524fe1306361a4643 Mon Sep 17 00:00:00 2001 From: Teleo Agents Date: Tue, 7 Apr 2026 22:30:18 +0000 Subject: [PATCH] rio: extract claims from 2026-04-02-drift-protocol-durable-nonce-exploit - Source: inbox/queue/2026-04-02-drift-protocol-durable-nonce-exploit.md - Domain: internet-finance - Claims: 2, Entities: 2 - Enrichments: 2 - Extracted by: pipeline ingest (OpenRouter anthropic/claude-sonnet-4.5) Pentagon-Agent: Rio --- ...-attack-surface-for-multisig-governance.md | 17 ++++++++ ...eliminating-detection-and-response-time.md | 17 ++++++++ .../internet-finance/solana-foundation.md | 40 +++---------------- entities/internet-finance/unc4736.md | 15 +++++++ 4 files changed, 54 insertions(+), 35 deletions(-) create mode 100644 domains/internet-finance/solana-durable-nonce-creates-indefinite-transaction-validity-attack-surface-for-multisig-governance.md create mode 100644 domains/internet-finance/zero-timelock-governance-migrations-create-critical-vulnerability-windows-by-eliminating-detection-and-response-time.md create mode 100644 entities/internet-finance/unc4736.md diff --git a/domains/internet-finance/solana-durable-nonce-creates-indefinite-transaction-validity-attack-surface-for-multisig-governance.md b/domains/internet-finance/solana-durable-nonce-creates-indefinite-transaction-validity-attack-surface-for-multisig-governance.md new file mode 100644 index 000000000..d96893273 --- /dev/null +++ b/domains/internet-finance/solana-durable-nonce-creates-indefinite-transaction-validity-attack-surface-for-multisig-governance.md @@ -0,0 +1,17 @@ +--- +type: claim +domain: internet-finance +description: Protocol-specific primitives like Solana's durable nonce feature can create new attack surfaces that standard multisig threat models don't account for +confidence: experimental +source: Drift Protocol exploit, BlockSec analysis, April 2026 +created: 2026-04-07 +title: Solana durable nonce creates indefinite transaction validity attack surface for multisig governance because pre-signed approvals remain executable without expiration +agent: rio +scope: structural +sourcer: CoinDesk, BlockSec, The Hacker News +related_claims: ["[[futarchy solves trustless joint ownership not just better decision-making]]", "futarchy-governed DAOs require mintable governance tokens because fixed-supply treasuries exhaust without issuance authority forcing disruptive token-architecture-migrations"] +--- + +# Solana durable nonce creates indefinite transaction validity attack surface for multisig governance because pre-signed approvals remain executable without expiration + +The Drift Protocol $285M exploit demonstrates that Solana's durable nonce feature—designed to replace expiring blockhashes with fixed on-chain nonces for offline transaction signing—creates a fundamental security architecture risk for protocol governance. Attackers obtained two pre-signed approvals from Drift's 5-member Security Council multisig that remained valid for 8+ days, enabling execution after device compromise. Standard multisig security models assume transaction expiration through blockhash timeouts (typically minutes to hours on Solana), but durable nonces eliminate this constraint. When combined with zero-timelock governance (Drift had recently migrated to 2-of-5 threshold with no detection window), the indefinite validity of pre-signed transactions became the primary exploit mechanism. This is distinct from generic 'human coordinator' vulnerabilities—it's a specific mismatch between Solana's convenience primitive and multisig security assumptions. The attack required six months of social engineering and device compromise to obtain the signatures, but the durable nonce feature is what made those signatures exploitable days later. Attribution to North Korean UNC4736 (same actors as Radiant Capital) suggests this attack pattern is being systematically developed against DeFi governance infrastructure. diff --git a/domains/internet-finance/zero-timelock-governance-migrations-create-critical-vulnerability-windows-by-eliminating-detection-and-response-time.md b/domains/internet-finance/zero-timelock-governance-migrations-create-critical-vulnerability-windows-by-eliminating-detection-and-response-time.md new file mode 100644 index 000000000..9c18cce37 --- /dev/null +++ b/domains/internet-finance/zero-timelock-governance-migrations-create-critical-vulnerability-windows-by-eliminating-detection-and-response-time.md @@ -0,0 +1,17 @@ +--- +type: claim +domain: internet-finance +description: Removing execution delays from governance systems trades efficiency for security by preventing intervention after signature compromise +confidence: experimental +source: Drift Protocol exploit, April 2026 +created: 2026-04-07 +title: Zero-timelock governance migrations create critical vulnerability windows by eliminating detection and response time for compromised multisig execution +agent: rio +scope: structural +sourcer: CoinDesk, BlockSec +related_claims: ["[[futarchy-governed DAOs converge on traditional corporate governance scaffolding for treasury operations because market mechanisms alone cannot provide operational security and legal compliance]]"] +--- + +# Zero-timelock governance migrations create critical vulnerability windows by eliminating detection and response time for compromised multisig execution + +Drift Protocol's recent migration to 2-of-5 multisig threshold with zero timelock proved decisive in the $285M exploit. Once attackers obtained two pre-signed approvals through device compromise, the zero-timelock configuration allowed immediate execution with no detection window. Traditional timelock delays (typically 24-72 hours in DeFi governance) create opportunities for monitoring systems, community alerts, or remaining signers to detect and block malicious transactions. The Drift case demonstrates that efficiency gains from removing timelocks come at the cost of eliminating the last line of defense when signature compromise occurs. This is particularly critical when combined with durable nonce features that extend transaction validity—the timelock would have provided a window to detect the compromise and invalidate the pre-signed transactions. The exploit executed in minutes on April 1, 2026, suggesting no monitoring system had time to respond. This pattern mirrors the Radiant Capital exploit by the same North Korean actors, indicating systematic targeting of governance configurations that prioritize execution speed over security depth. diff --git a/entities/internet-finance/solana-foundation.md b/entities/internet-finance/solana-foundation.md index 2407fb1f0..182dc1749 100644 --- a/entities/internet-finance/solana-foundation.md +++ b/entities/internet-finance/solana-foundation.md @@ -1,41 +1,11 @@ # Solana Foundation -**Type:** organization -**Status:** active -**Domain:** internet-finance +**Type:** Organization +**Status:** Active +**Domain:** Internet Finance ## Overview - -Solana Foundation is the primary ecosystem development organization for the Solana blockchain, operating extensive builder support infrastructure including hackathons, grants programs, accelerators, and distribution channels. - -## Key Programs - -### Funding Infrastructure -- **Hackathons**: Multiple annual events (Privacy, Consumer/NFTs/Gaming, Agents, Mobile) with millions in prizes -- **Accelerators**: Colosseum (YC-style funding) and Incubator programs; Colosseum founders have raised $650M+ in venture funding -- **Grants**: Evergreen grants for open source & public goods with $40k average check size; YC founders building on Solana receive up to $50k extra -- **Specialized Funds**: Kalshi x Solana $2M fund for prediction markets -- **Total Annual Funding**: Tens of millions distributed collectively across Foundation and adjacent entities - -### Distribution & Amplification -- **Events**: Accelerate, Breakpoint (global), plus regional events (mtndao, Solana Summit) -- **Social Media**: Led all crypto networks in total impressions and engagement on X & LinkedIn in 2024; amplified 300+ ecosystem companies since Jan 2025 -- **Specialized Handles**: @capitalmarkets, @solanapayments, @x402, @solanagaming for targeted distribution -- **Content**: Hundreds of videos/clips annually, 10 regular podcasts, Luminaries creator collective (50+ influencers) -- **Media Acquisition**: Sponsors and produces podcasts like The Index and Genfinity, directly booking ecosystem guests - -### Community Infrastructure -- **Superteam**: Global founder network with thousands of members; Superteam USA launched for US market -- **Superteam Earn**: Paid out millions in microgrants and bounties -- **Instagrants**: Up to $10k available through Superteam - -## Ecosystem Support Model - -Foundation operates a comprehensive builder support stack combining capital, mentorship, and distribution with no equity requirements. The model prioritizes volume of support ("more than any other network") through committee-driven selection processes for grants and amplification. +Solana Foundation is the non-profit organization supporting the Solana blockchain ecosystem. ## Timeline - -- **2025-01-01** — Launched three major hackathons (Privacy, Consumer/NFTs/Gaming, Agents) with millions in prizes -- **2025-01-01** — Launched Superteam USA to fund and assist founders in US market -- **2025-01-01** — Amplified 300+ different ecosystem companies through social channels -- **2026-03-24** — Vibhu (Solana Foundation) published comprehensive ecosystem support overview defending against "glaring inaccuracies" about Solana's builder support \ No newline at end of file +- **2026-04-07** — Launched Stride and SIRN (Solana Incident Response Network) in direct response to Drift Protocol $285M exploit, addressing durable nonce security concerns and establishing coordinated incident response infrastructure. \ No newline at end of file diff --git a/entities/internet-finance/unc4736.md b/entities/internet-finance/unc4736.md new file mode 100644 index 000000000..9d766eadd --- /dev/null +++ b/entities/internet-finance/unc4736.md @@ -0,0 +1,15 @@ +# UNC4736 (Citrine Sleet / Gleaming Pisces) + +**Type:** Organization (Threat Actor) +**Status:** Active +**Domain:** Internet Finance +**Also Known As:** AppleJeus, Golden Chollima +**Attribution:** North Korean state-sponsored + +## Overview +UNC4736 is a North Korean state-sponsored threat actor group specializing in cryptocurrency theft through sophisticated social engineering and supply chain attacks. + +## Timeline +- **2025-10** — Began six-month social engineering campaign against Drift Protocol, posing as quantitative trading firm. Attended crypto conferences, deposited $1M+ to build credibility, integrated Ecosystem Vault for privileged access. +- **2026-04-01** — Executed $285M Drift Protocol exploit using compromised multisig keys obtained via malicious TestFlight app and VSCode/Cursor IDE vulnerability. Used Solana durable nonce feature to maintain transaction validity for 8+ days. +- **2026-04** — TRM Labs traced fund flows back to Radiant Capital attackers, confirming connection to previous DeFi exploits. \ No newline at end of file