The Drift hack wasn’t a code exploit.

It was social engineering using Solana’s durable nonces.
Quick explainer on durable nonces ↓
Normally, Solana transactions include a recent blockhash that expires in ~90 seconds. Miss the window and the signed transaction dies.
Durable nonces remove that expiry.
Instead of a blockhash that dies in 90 seconds, you substitute a stored nonce value from a special on chain account. That nonce doesn't expire until someone manually advances it or submits the transaction.
A signed transaction using a durable nonce can sit in someone's pocket for days, weeks, months. Still valid. Still executable. The signer has no visibility into when or whether it gets used.
This exists for good reasons: multisig wallets where signers are in different time zones, cold storage setups, custodial services that need offline signing. But it fundamentally changes the threat model.
How it was weaponized:
- Mar 23: Attacker created four nonce accounts (two tied to Drift security council members).
- Mar 23–30: Collected 2/5 multisig signatures on “routine” transactions.
- Those signatures didn’t expire, they sat usable for days.
- Apr 1: Attacker submitted two pre-signed transactions four slots apart: admin takeover, limits removed, vaults drained. ~$280M gone.
Without durable nonces, the attacker would’ve had to trick signers and execute inside a 90-second window.
Nonces stretched that window to over a week, letting them gather signatures slowly.
No seed phrases leaked.
Audits passed.
The failure was a 2/5 multisig with no timelock plus a transaction format that separates signing from execution.