Author: Gu Yu, ChainCatcher

Around 1 a.m. today, a massive theft incident occurred again in the DeFi space, with the Solana lending protocol Drift being attacked by hackers, resulting in over $220 million of user assets being stolen within ten seconds.

Following the incident, Drift's token plummeted by over 40% in a short period, with the current FDV around $44 million. Due to the involvement of many assets in the Solana ecosystem, Solana tokens such as SOL and JUP also experienced varying degrees of abnormal declines.

Drift was previously one of the largest lending protocols in the Solana ecosystem. According to RootData, the protocol has raised over $52 million, with investors including leading VCs such as Multicoin Capital, Polychain, Robot Ventures, Blockchain Capital, Ethereal Ventures, Jump Capital, and others.

According to public analysis, the theft of Drift is closely related to the illegal acquisition of control over the multi-signature address, combined with governance attacks and oracle attacks, which are common attack methods. The attacker utilized a single signature key to complete all operations in a single transaction: creating a false market, manipulating the oracle, and lifting withdrawal restrictions. Among these, the leakage of the multi-signature address private key suggests the possibility of insider involvement.

The frequently seen attack methods, along with the project's weak preventative measures, once again expose the vulnerabilities in the DeFi space. According to a tweet by Omer Goldberg, founder of Chaos Labs, here is a detailed analysis of the theft process:

The initial signs of the event occurred a week ago when Drift migrated the protocol's management authority from the old multi-signature wallet to a new multi-signature wallet, which was created by one of the signers in the old multi-signature but did not include themselves in the new wallet.

The attacker seized this loophole to propose in the old multi-signature wallet to transfer Drift's admin privileges to a new wallet (controlled by the attacker).

The new multi-signature set five signers, of which only one was from the old wallet, and the other four were completely new. The rules were extremely loose: only 2 out of 5 needed to agree (meaning just 2 signatures were enough), and there was a 0-second time lock (the proposal was executed immediately without any waiting period).

Early this morning, the only remaining signer from the old wallet proposed: "Change Drift's admin privileges to the wallet truly controlled by the attacker."

Seconds later, another new signer immediately followed to sign, easily reaching the ⅖ threshold. Since there was no time lock, the proposal was executed instantly, and the attacker obtained full admin rights.

The attacker then immediately used these permissions to create a CVT spot market in the Drift protocol, with a total supply of about 750 million, of which the attacker held 600 million. The attacker then used their controlled SwitchboardOnDemand oracle and configured Drift to read from that oracle.

After completing the operations, the attacker raised the price of the nearly worthless CVT token through 20 transactions, making the 600 million CVT they deposited appear to be worth hundreds of millions of dollars according to the oracle. Thus, the attacker borrowed assets worth about $220 million to $280 million, which included 41.72 million JLP (Jupiter LP token, worth about $155 million), 51.61 million USDC, 164 cbBTC (worth about $11.29 million), and others.

The building block structure of DeFi was once seen as the greatest advantage of the field, but now this advantage has, like dominoes, transmitted risk to other DeFi protocols integrated with the Drift lending market in the Solana ecosystem.

Jupiter is the biggest victim affected by this security incident, with the maximum amount of JLP stolen being the core LP asset of Jupiter's perpetual contract market. This theft will significantly reduce liquidity in Jupiter's perpetual contract market and lead to panic withdrawals and a decline in the JUP token among other chain reactions.

In addition, over 15 DeFi protocols including Perena, Project 0, Exponent, Carrot, Ranger, PiggyBank, Reflect, Project 0, Elemental, Neutral Trade, Pyra, Fuse, Neutral Trade, XPlace, and others have published confirmations of being affected by Drift's theft, with some withdrawal functionalities temporarily suspended.

However, among all security incidents, the most affected are still the users, as the continuous hacker events repeatedly undermine their confidence in DeFi.

“I’m not doing anything else today, withdrawing all the funds from all the old projects on-chain, and not investing in new projects unless I know them well; it’s a tumultuous time, don’t test human nature.” After losing over $6,000 in this incident, the well-known KOL Tu Ao Dashi posted this remark.

免责声明：本文章仅代表作者个人观点，不代表本平台的立场和观点。本文章仅供信息分享，不构成对任何人的任何投资建议。用户与作者之间的任何争议，与本平台无关。如网页中刊载的文章或图片涉及侵权，请提供相关的权利证明和身份证明发送邮件到support@aicoin.com，本平台相关工作人员将会进行核查。