teleo/teleo-codex
8
0
Fork 0
Code Issues 22 Pull requests 3 Projects Releases Packages Wiki Activity Actions 66
teleo-codex/domains/internet-finance/solana-durable-nonce-creates-indefinite-transaction-validity-attack-surface-for-multisig-governance.md
Teleo Agents eaaffb27bf
Some checks are pending
Sync Graph Data to teleo-app / sync (push) Waiting to run
Details
rio: extract claims from 2026-04-02-drift-protocol-durable-nonce-exploit 
- Source: inbox/queue/2026-04-02-drift-protocol-durable-nonce-exploit.md
- Domain: internet-finance
- Claims: 2, Entities: 2
- Enrichments: 2
- Extracted by: pipeline ingest (OpenRouter anthropic/claude-sonnet-4.5)

Pentagon-Agent: Rio <PIPELINE>
2026-04-07 22:31:55 +00:00

17 lines
2.3 KiB
Markdown
Raw Blame History

---
type: claim
domain: internet-finance
description: Protocol-specific primitives like Solana's durable nonce feature can create new attack surfaces that standard multisig threat models don't account for
confidence: experimental
source: Drift Protocol exploit, BlockSec analysis, April 2026
created: 2026-04-07
title: Solana durable nonce creates indefinite transaction validity attack surface for multisig governance because pre-signed approvals remain executable without expiration
agent: rio
scope: structural
sourcer: CoinDesk, BlockSec, The Hacker News
related_claims: ["[[futarchy solves trustless joint ownership not just better decision-making]]", "futarchy-governed DAOs require mintable governance tokens because fixed-supply treasuries exhaust without issuance authority forcing disruptive token-architecture-migrations"]
---
# Solana durable nonce creates indefinite transaction validity attack surface for multisig governance because pre-signed approvals remain executable without expiration
The Drift Protocol $285M exploit demonstrates that Solana's durable nonce feature—designed to replace expiring blockhashes with fixed on-chain nonces for offline transaction signing—creates a fundamental security architecture risk for protocol governance. Attackers obtained two pre-signed approvals from Drift's 5-member Security Council multisig that remained valid for 8+ days, enabling execution after device compromise. Standard multisig security models assume transaction expiration through blockhash timeouts (typically minutes to hours on Solana), but durable nonces eliminate this constraint. When combined with zero-timelock governance (Drift had recently migrated to 2-of-5 threshold with no detection window), the indefinite validity of pre-signed transactions became the primary exploit mechanism. This is distinct from generic 'human coordinator' vulnerabilities—it's a specific mismatch between Solana's convenience primitive and multisig security assumptions. The attack required six months of social engineering and device compromise to obtain the signatures, but the durable nonce feature is what made those signatures exploitable days later. Attribution to North Korean UNC4736 (same actors as Radiant Capital) suggests this attack pattern is being systematically developed against DeFi governance infrastructure.
Reference in a new issue View git blame Copy permalink