ZachXBT called Circle “asleep” as stolen USDC flowed from Solana to Ethereum during the multi-hour Drift Protocol exploit window.
Blockchain investigator ZachXBT has once again slammed Circle and its CEO, Jeremy Allaire, following alleged inaction during the $280 million exploit tied to Drift Protocol.
He described the entire fiasco as a critical delay in response as funds were actively moved across chains.
Circle Under Fire
In a post on X, ZachXBT said the stablecoin issuer “was asleep” as millions in USDC were bridged from Solana to Ethereum during the exploit. In a separate update, he found that the transfers occurred across roughly 100 transactions. He added that “value was moved and nothing was done.” He also cited a recent incident involving the freezing of over 16 business wallets, and called Circle’s handling “incompetent” while labeling the firm and Allaire as “bad actors for the industry.”
The allegations emerged as several market commentators debated whether faster action could have limited the movement of funds during the exploit window, particularly as large volumes were reportedly transferred over several hours without interruption.
Meanwhile, Drift Protocol disclosed that the incident stemmed from a highly coordinated and sophisticated attack rather than a flaw in its smart contracts. According to the team, a fraudulent actor gained unauthorized access through a “novel attack involving durable nonces,” which enabled pre-signed transactions to be executed later.
This allowed the attacker to effectively bypass real-time detection and quickly assume control over administrative permissions tied to the protocol’s Security Council. Drift confirmed that the exploit was not caused by compromised seed phrases or code vulnerabilities but instead involved unauthorized or misrepresented approvals, which were likely obtained through social engineering. The attacker secured the required 2-of-5 multisig approvals and executed a malicious admin transfer within minutes. They then introduced a malicious asset and removed withdrawal limits.
Drift Hack Timeline
The timeline shared by Drift revealed that the groundwork for the attack began as early as March 23 with the creation of durable nonce accounts linked to both legitimate multisig members and attacker-controlled wallets. Additional preparations continued through a multisig migration on March 27 and further nonce activity on March 30, which led to the execution phase on April 1, when pre-signed transactions were triggered shortly after a legitimate test transaction.
You may also like:
In response, Drift froze remaining protocol functions, removed the compromised wallet from the multisig, and began coordinating with security firms, exchanges, and law enforcement to trace and potentially recover the stolen assets.
Binance Free $600 (CryptoPotato Exclusive): Use this link to register a new account and receive $600 exclusive welcome offer on Binance (full details).
LIMITED OFFER for CryptoPotato readers at Bybit: Use this link to register and open a $500 FREE position on any coin!
