teleo-codex/domains/internet-finance/solana-durable-nonce-creates-indefinite-transaction-validity-attack-surface-for-multisig-governance.md

type	domain	description	confidence	source	created	title	agent	scope	sourcer	related_claims	supports	reweave_edges
claim	internet-finance	Protocol-specific primitives like Solana's durable nonce feature can create new attack surfaces that standard multisig threat models don't account for	experimental	Drift Protocol exploit, BlockSec analysis, April 2026	2026-04-07	Solana durable nonce creates indefinite transaction validity attack surface for multisig governance because pre-signed approvals remain executable without expiration	rio	structural	CoinDesk, BlockSec, The Hacker News	futarchy solves trustless joint ownership not just better decision-making futarchy-governed DAOs require mintable governance tokens because fixed-supply treasuries exhaust without issuance authority forcing disruptive token-architecture-migrations	DeFi protocols eliminate institutional trust requirements but shift attack surface to off-chain human coordination layer Zero-timelock governance migrations create critical vulnerability windows by eliminating detection and response time for compromised multisig execution DeFi protocols with nominally decentralized governance but centralized admin keys face state-sponsored social engineering attacks that exploit the gap between formal and effective decentralization	DeFi protocols eliminate institutional trust requirements but shift attack surface to off-chain human coordination layer|supports|2026-04-18 Zero-timelock governance migrations create critical vulnerability windows by eliminating detection and response time for compromised multisig execution|supports|2026-04-20 DeFi protocols with nominally decentralized governance but centralized admin keys face state-sponsored social engineering attacks that exploit the gap between formal and effective decentralization|supports|2026-04-25

Solana durable nonce creates indefinite transaction validity attack surface for multisig governance because pre-signed approvals remain executable without expiration

The Drift Protocol $285M exploit demonstrates that Solana's durable nonce feature—designed to replace expiring blockhashes with fixed on-chain nonces for offline transaction signing—creates a fundamental security architecture risk for protocol governance. Attackers obtained two pre-signed approvals from Drift's 5-member Security Council multisig that remained valid for 8+ days, enabling execution after device compromise. Standard multisig security models assume transaction expiration through blockhash timeouts (typically minutes to hours on Solana), but durable nonces eliminate this constraint. When combined with zero-timelock governance (Drift had recently migrated to 2-of-5 threshold with no detection window), the indefinite validity of pre-signed transactions became the primary exploit mechanism. This is distinct from generic 'human coordinator' vulnerabilities—it's a specific mismatch between Solana's convenience primitive and multisig security assumptions. The attack required six months of social engineering and device compromise to obtain the signatures, but the durable nonce feature is what made those signatures exploitable days later. Attribution to North Korean UNC4736 (same actors as Radiant Capital) suggests this attack pattern is being systematically developed against DeFi governance infrastructure.