Solana Drift Protocol drained of $285M via fake token and governance hijack

edm0nd

Their CEO should serve prison time for being so incompetent but hey c-levels almost never get punished which is sad.

ph4rsikal

https://www.web3isgoinggreat.com/

Overpower0416

What kind of DeFi protocol has super power private keys to alter the protocol just like that? And no timelock. Seriously? What a joke

embedding-shape

> The attacker used social engineering to induce Drift Security Council multisig signers into pre-signing transactions that appeared routine but carried hidden authorisations. So much for the "Security Council". What an embarrassment to be in a team/org like that and fail your most basic duty which would be "look at what you sign".

simonw

So this is the end of the Drift project, right? Back at the top of the crypto hype cycle I wouldn't be surprised to see a project survive even a situation like this one, but now that the hype has died down is it still possible to come back from a loss of this magnitude?

andxor

Hyperliquid.

estetlinus

> The funds were used to deploy CarbonVote Token (CVT), a completely fictitious asset Crypto calling out other cryptos, made me giggle

rvba

It feels like main purpose of those various coins are scams. Either classic pump and dump, or advanced ones based on complex interactions.

yieldcrv

this is a beautiful attack, the way that multisig signers were compromised with innocuous signatures in advance, without really compromising private keys from the pre-funding to a virgin address, to the bundler, to the exit strategy to decentralized assets to the protocols exposed but functioning perfectly under the stress test - props to Jupiter! - and the optional insurance protocols functioning decently, all while people point fingers at Circle for their bridge working perfectly, it's not even clear what people want them to do specifically! All of these aspects of web3 are working great, and it's easy for a cynic that only sees these headlines to miss that inspirational, great place to build

pawelduda

Trusting any of these crypto protocols is hard with any serious money. If anyone wants to target you, they'll go great lengths to trick you into making a mistake. Even if you do everything right, the people behind the service can step into a mine for you. Even easier if you add AI to the pipeline where people will tend to offload the vulnerable parts of development/ops to a LLM

verdverm

Is public-permissionless just a bad fundamental?

vessenes

The multisig UI/UX is a real and long term difficulty for any governance council. "Please sign this opaque transaction with binary data, it represents our agreement. I promise." For a while maybe ten years ago I worked with MakerDAO on this problem - at the time the idea was a separate auditor for proposed transactions. This general attack pattern is: get a lender with good collateral to call your bad collateral good, then swap collaterals, and it's a known and bad attack vector; the ongoing tension between innovation / speed and caution continues. There's probably a flash-loan multiplier angle here for an even worse attack; I'm imagining chaining a liquidity change in the trusted price oracle for the CVT token in the middle of the swapping. Anyway, upshot - don't loan against North Korean attack tokens. Put it on the list.

maipen

It took a long time until we got real digital money, Bitcoin. But all these new protocols want to do stuff at the expense of trustlesssness.

youniverse

What a nice retirement fund!

nradov

It's always entertaining to see worthless idiots lose money on an obvious scam like cryptocurrency. Ha ha. Although in this case it seems that North Koreans might have ended up with actual valuable fiat currency, which is unfortunate.

fnoef

Remind me again how cryptocurrency is the future of money, and is definitely not used, primarily, for scams

kernal

Alright, time to fork this bitch.

stavros

Say what you want about cryptocurrency, at least their bug bounties pay well.