DeFi protocols with nominally decentralized governance but centralized admin keys face state-sponsored social engineering attacks that exploit the gap between formal and effective decentralization

The Drift Protocol hack ($285M, April 2026) reveals a critical vulnerability in DeFi protocols that claim decentralization but retain centralized admin keys. DPRK-linked attackers (UNC4736) spent months posing as a quantitative trading firm to build trust with Drift contributors. They exploited Solana's 'durable nonces' feature to trick Security Council members into pre-signing dormant transactions that would transfer admin control. Once they gained admin access, attackers changed protocol parameters to accept a fake token (CVT) as collateral with infinite borrowing limits, then deposited 500M CVT to withdraw $285M in real assets. The attack vector was NOT the governance mechanism itself but rather the existence of a Security Council with unilateral signing authority that could be socially engineered. This represents a gap between formal decentralization (governance token distribution) and effective decentralization (actual control over protocol parameters). The hack demonstrates that protocols with centralized admin keys remain vulnerable to sophisticated state-sponsored attacks regardless of their governance token structure. This is particularly relevant for futarchy implementations: the Drift hack is evidence FOR futarchy-style distributed governance (no single admin control) rather than against DeFi as a category.