Introduction: A New Class of Protocol Attacks
Decentralized finance (DeFi) has long relied on distributed governance and multi-signature (multi-sig) controls as core defenses against large-scale theft. However, recent incidents have challenged this security model. The Drift Protocol exploit, which Ledger CTO Charles Guillemet compared to the Bybit hack, demonstrates how attackers are shifting their focus from code vulnerabilities to the people and processes that safeguard protocols. This evolution in attack strategies presents new risks for DeFi and cross-chain projects.
How Multi-Sig and Governance Defenses Failed
Multi-sig wallets and governance frameworks are designed to prevent any single party from acting unilaterally. The assumption is that requiring multiple approvals reduces risk. Yet, these protections depend on the security of the underlying keys and devices. In the Drift attack, the breach did not stem from a flaw in the smart contract, but from attackers gaining access to the devices or keys of multi-sig holders. Through persistent infiltration and social engineering, attackers managed to obtain the necessary approvals for malicious transactions.
This method is reminiscent of the Bybit hack, where operational weaknesses were exploited rather than technical bugs. In both cases, once enough keyholders were compromised, the multi-sig mechanism itself became ineffective as a safeguard.
The Drift and Bybit Incidents: What Happened
According to statements from Ledger’s CTO, the Drift Protocol exploit was not due to a smart contract issue but rather a compromise of the multi-sig process. Hackers reportedly took control of a multi-sig holder’s device or acquired enough private keys to authorize unauthorized transactions. The Bybit attack followed a similar pattern, with some speculation about links to North Korean groups, though attribution remains uncertain based on available information.
In both incidents, significant funds were quickly transferred to wallets controlled by the attackers, leaving little opportunity for recovery. These events underscore how attackers are increasingly targeting the human and operational aspects of DeFi security, rather than just the codebase.
Operational Security Gaps Exposed
The core vulnerability revealed by these attacks lies not in the smart contracts themselves, but in endpoint and operational security. Reports indicate that attackers gained access through long-term infiltration, using methods such as malware or phishing to compromise operator devices. Once inside, they waited for the right moment to collect enough keys or manipulate administrators into approving harmful actions.
Industry experts, including Ledger’s CTO, have emphasized the need for stronger endpoint detection and the adoption of hardware-backed plaintext signatures. These measures can help reduce the risk of device takeovers and alert operators to unauthorized activity. The recent incidents highlight that DeFi teams must prioritize operational security with the same diligence as they do smart contract audits.
Defense Strategies for DeFi Protocols
For protocols that rely on multi-sig and governance, strengthening operational defenses is essential. Steps that can help mitigate these risks include adopting hardware wallets and requiring hardware-backed signatures for all multi-sig actions, implementing robust endpoint protection and monitoring for all keyholders, regularly rotating keys, limiting the exposure of signing devices, and training operators to recognize social engineering and phishing attempts.
While technical controls remain important, these incidents show that human and operational factors are now a primary line of defense in DeFi security. Every device, approval process, and communication channel should be considered a potential attack surface and protected accordingly.
Conclusion: Rethinking Trust in DeFi Admin
The Drift and Bybit incidents serve as a warning for DeFi and cross-chain projects: attackers are adapting, and defenders must do the same. Governance controls and multi-sig protections are only as strong as the security of the people and devices behind them. DeFi teams need to address operational risks throughout the entire lifecycle of protocol management—not just focus on code audits.
As the DeFi landscape evolves, understanding protocol security is just as important as finding efficient routes for your assets. To compare options and discover safer cross-chain paths, explore the Chainspot router and stay proactive in managing your onchain security.
