TechFlow: Drift Protocol exploited via multisig migration flaw, losses top $200 million

Cos (Yu Sheng), founder of SlowMist (@evilcos), said the Drift Protocol exploit stemmed from a governance change made a week earlier: the protocol migrated to a 2-of-5 multisig setup without a timelock, consisting of 1 legacy signer and 4 new signers. The attacker leveraged the configuration to gain admin control within hours, then minted counterfeit CVT tokens, manipulated oracle feeds, shut off relevant security safeguards, and ultimately emptied the pool. Total losses exceeded $200 million. Cos urged DeFi teams to conduct frequent reviews of worst-case scenarios involving owner/admin private key compromise, and to strengthen monitoring, alerting, and incident response. He also warned users to understand their exposure to extreme loss events—such as internal malfeasance—before engaging with any DeFi protocol, rather than participating blindly.