Blockchain investigator ZachXBT has criticized stablecoin issuer Circle for its alleged inaction during a $280 million exploit of the Solana-based Drift Protocol. He stated the firm “was asleep” as stolen USDC was bridged from Solana to Ethereum over several hours. The Drift team attributed the attack to a sophisticated method involving “durable nonces” and social engineering, not a smart contract flaw, and has moved to freeze functions and cooperate with authorities.
Blockchain investigator ZachXBT has again criticized Circle and its CEO Jeremy Allaire following alleged inaction during a $280 million exploit linked to Drift Protocol. He described the incident as a critical delay in response as funds were actively moved across chains.
ZachXBT said the stablecoin issuer “was asleep” as millions in USDC were bridged from Solana to Ethereum during the exploit. He added that “value was moved and nothing was done,” and cited a recent wallet-freezing incident to label the firm’s handling as incompetent.
Market commentators debated whether faster action could have limited fund movement, as large volumes were reportedly transferred over several hours without interruption. Meanwhile, Drift Protocol disclosed the incident stemmed from a highly coordinated and sophisticated attack rather than a flaw in its smart contracts.
The team stated a fraudulent actor gained unauthorized access through a novel attack involving “durable nonces,” enabling pre-signed transactions to be executed later. This allowed the attacker to bypass real-time detection and assume control over the protocol’s Security Council administrative permissions.
Drift confirmed the exploit was not caused by compromised seed phrases or code vulnerabilities but involved unauthorized approvals likely obtained through social engineering. The attacker secured required multisig approvals and executed a malicious admin transfer within minutes before introducing a malicious asset and removing withdrawal limits.
A timeline shared by Drift revealed the attack’s groundwork began as early as March 23 with the creation of durable nonce accounts. The execution phase occurred on April 1, when pre-signed transactions were triggered shortly after a legitimate test transaction.
In response, Drift froze remaining protocol functions and removed the compromised wallet from its multisig. The team began coordinating with security firms, exchanges, and law enforcement to trace and potentially recover the stolen assets.
