Sec3

A recent major Solana exploit made the problem clear: not every protocol drain starts with buggy code. Some attacks rely on on-chain staging before execution: durable nonce activity and multisig governance changes. We added 3 free WatchTower monitoring bots for Solana protocols to detect that staging: • durable nonce account creation targeting your signers • nonce authority transfers to or from your signers • multisig config changes: threshold, timelock, members, config authority, rent collector Free for all Solana protocols: https://t.co/8nJVZlovve

Lessons from the Drift Protocol Exploit - A Security Checklist for Solana Teams On April 1, Drift Protocol unfortunately experienced an approximately $285 million exploit. The attack surface was not code. It was governance configuration, key management, and operational trust assumptions. This is not a post-mortem of Drift. The facts are still developing and the team is actively responding. This is about what protocol teams should verify in their own deployments. What Happened The attacker gained access to multisig signer credentials through social engineering, then executed a staged operation over three phases: Infrastructure staging: a token was deployed with seeded liquidity to create the appearance of a legitimate asset. Durable nonce accounts were created on-chain (the first appearing 8 days before the exploit, the second one day prior), enabling pre-authorized transactions that could be triggered at a chosen time. Configuration change: the multisig was migrated to a new configuration that did not include a timelock on administrative actions. Execution: 31 withdrawal transactions drained three core vaults in approximately 12 minutes. Assets were bridged to Ethereum shortly after. What This Means for Other Protocols Each phase of this attack targeted operational and governance layers rather than smart contract logic. Any protocol with admin-controlled parameters, multisig governance, or privileged operations should consider whether similar vectors apply. What to Check Governance • Verify your multisig threshold and signer set. Confirm no unauthorized configuration changes have been made. • Confirm timelocks are enforced on non-emergency administrative operations (parameter changes, upgrades, configuration updates). Emergency stop functions can remain fast. • Monitor proposal creation, approval progression, and execution of privileged operations. Key Management • Confirm admin keys are secured via HSM or MPC with documented procedures around signing. • Scan for outstanding durable nonce accounts associated with your program authorities. Unrecognized nonce accounts warrant investigation. • Verify that any transaction using a durable nonce is fully expected and independently reviewed before signing. Operational Safeguards • Check whether withdrawal rate limits or circuit breakers make sense for your protocol's architecture. • Pre-establish contacts with bridge operators and exchanges for asset freeze coordination. Cross-chain fund movement during incidents moves faster than ad-hoc coordination. Takeaway Protocol security extends beyond code. Governance design, key management practices, and operational procedures are all part of the attack surface. Teams that proactively review these areas are better positioned to prevent and respond to this class of incident. If you have questions about your protocol's configuration or want help reviewing your security posture, reach out to us at [email protected]. - Sec3

AI agents exploited smart contracts worth $4.6mn in simulated attacks, with capabilities doubling every 1.3 months, but they still needed source code access. Non-public source code programs have some protection: AI reverse engineering exists but is far less capable than source code analysis. Though this gap will narrow. https://t.co/yQI3UO8r2C