CHECK TIME LOCKS

“In contrast to last week, we were talking about the Resolv hack... Here, it wasn't a single key. It was a multi-sig. However, it was a two of five multi-sigs. So this is like the minimum amount of signatures that you would need in a multi-sig. So it's one step above a single key. We're still waiting for an official, I think, post-mortem... but it looks like this was a planned event, and I think that the hacker had some type of access that the team didn't know about.”

“Notably, it had zero time lock on any of the functions it could execute. And for listeners, what time lock means is, even though certain privileges in an application need to be signed by white listed addresses, a time lock basically says after they sign it, there's a gap between when it actually executes. And this is typically an additional security precaution to make sure that what was signed and the change enacted is indeed what you want it to be.”

“If you can actually receive control on one of these packages, you just make a tiny modification where you can add a piece of code that effectively once run on any developer's machine gives you root access to the machine. So you can read and write whatever you want. And the second, something like that happens, which we've seen with Axios last week with Light LLM, one of the biggest AI packages, but there have been hundreds of packages that have been infected in this manner. You can do whatever you want on the machine.”

“So created a token, spun up a fake oracle, or like a real oracle that was pointing to the fake pool, pumped the price, and then they had all of this kind of credit in the system that they could use to withdraw and drain Drift from all of the blue chip protocols. So this is again why I say it's sophisticated because this attacker was preparing. He spun up the feed, he was running fake volumes in the AMM where the CVT pool is being traded and the oracle read the price from. And then also created a fake market on Drift with max risk parameters.”

“And the attacker waited. I think some of the speculation was that they waited until April 1st, for April Fool's Day, so that when messages of the hack were being dispatched, there would be confusion about whether or not it was real or a prank. And pretty swiftly, within seconds, at least for the first batch, the attacker executed a series of transactions that effectively enabled them to deposit and manipulate the price of the collateral into the drift vaults and extract all of the blue chip assets.”