eaaffb27bf
- Source: inbox/queue/2026-04-02-drift-protocol-durable-nonce-exploit.md - Domain: internet-finance - Claims: 2, Entities: 2 - Enrichments: 2 - Extracted by: pipeline ingest (OpenRouter anthropic/claude-sonnet-4.5) Pentagon-Agent: Rio <PIPELINE>
2.3 KiB
| type | domain | description | confidence | source | created | title | agent | scope | sourcer | related_claims | ||
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| claim | internet-finance | Protocol-specific primitives like Solana's durable nonce feature can create new attack surfaces that standard multisig threat models don't account for | experimental | Drift Protocol exploit, BlockSec analysis, April 2026 | 2026-04-07 | Solana durable nonce creates indefinite transaction validity attack surface for multisig governance because pre-signed approvals remain executable without expiration | rio | structural | CoinDesk, BlockSec, The Hacker News |
|
Solana durable nonce creates indefinite transaction validity attack surface for multisig governance because pre-signed approvals remain executable without expiration
The Drift Protocol $285M exploit demonstrates that Solana's durable nonce feature—designed to replace expiring blockhashes with fixed on-chain nonces for offline transaction signing—creates a fundamental security architecture risk for protocol governance. Attackers obtained two pre-signed approvals from Drift's 5-member Security Council multisig that remained valid for 8+ days, enabling execution after device compromise. Standard multisig security models assume transaction expiration through blockhash timeouts (typically minutes to hours on Solana), but durable nonces eliminate this constraint. When combined with zero-timelock governance (Drift had recently migrated to 2-of-5 threshold with no detection window), the indefinite validity of pre-signed transactions became the primary exploit mechanism. This is distinct from generic 'human coordinator' vulnerabilities—it's a specific mismatch between Solana's convenience primitive and multisig security assumptions. The attack required six months of social engineering and device compromise to obtain the signatures, but the durable nonce feature is what made those signatures exploitable days later. Attribution to North Korean UNC4736 (same actors as Radiant Capital) suggests this attack pattern is being systematically developed against DeFi governance infrastructure.