This is not an April Fools joke: a $285 million exploit on April 1 drained over half of Drift Protocol’s roughly $550 million in total value locked on Solana by abusing durable nonces and a fake CarbonVote Token to seize multisig administrative control and rapidly empty vaults. Investigators attribute the six‑month, highly coordinated operation to DPRK‑linked UNC4736, with stolen funds laundered through USDC, SOL, bridges and exchanges while Drift froze protocol functions and coordinated recovery efforts. #DriftProtocol #UNC4736
Keypoints
- A $285 million exploit on April 1 drained more than half of Drift Protocol’s TVL on Solana.
- Attackers exploited Solana’s durable nonces to reuse pre-signed multisig approvals and seize Security Council powers.
- The attackers created a fake token, CarbonVote Token (CVT), and used wash trading to fool price oracles into accepting it as collateral.
- Attribution points to DPRK-linked group UNC4736 after a six-month infiltration involving social engineering, a malicious TestFlight app, and a VSCode/Cursor vulnerability.
- Stolen assets were converted into USDC and SOL, partially bridged and moved through exchanges while Drift froze protocol functions and engaged partners to trace and recover funds.
Read More: https://thecyberexpress.com/drift-protocol-draining-285m-in-12-mins/