Real incidents, reviewed

reproducible

Documented, real Solana drains run through the live reviewer. Every verdict below is the engine's actual output on that exact on-chain transaction. Click Verify live to reproduce it, or call the public API on the same signature. Simulation is not enough; static instruction-level review catches what a balance-diff preview misses, and it is honest about what it does not catch.

← review your own transaction

Caught before signing

SlowMist: wallet owner-permission hijack

~$3M+ lost · 2025-11-26 · SlowMist post-mortem

high93/100

A System assign silently reassigns the victim's own account owner to the attacker (GKJB...wbzQ), alongside two unlimited token approvals. A wallet simulation shows no fund movement, so it looks safe.

  • ACCOUNT_REASSIGNReassigns account ownership (System Assign)
  • TOKEN_DELEGATE_APPROVEApproves an UNLIMITED token delegate (x2)
  • UNKNOWN_PROGRAMInteracts with an unrecognized program
Caught:Flagged HIGH (93/100) before signing. The owner reassignment and the unlimited approvals are irreversible, so the circuit breaker returns REQUIRE_HUMAN. This is exactly the silent owner-change that a balance-diff simulation misses.
524t8LW1...nK3itMVJVerify live ↗

PYTH address-poisoning

~$2.91M lost · 2024-11-23 · Scam Sniffer / Pine Analytics

high45/100

The victim sent about 7M PYTH (~$2.91M) to a lookalike 'poison' address (4yfu...izcY) that mimics the intended recipient (4yfu...gnhY), copied from a dusting transaction.

  • FULL_TOKEN_ACCOUNT_DRAINSends the full token-account balance out
Caught:Flagged HIGH as a full-balance outflow, enough to make you stop before signing. Honest limit: we flag the magnitude, not the lookalike itself; detecting the address resemblance needs cross-transaction history the engine does not hold.
T3vqZjME...yvQ2h5RPVerify live ↗

Vanish drainer (TOCTOU bit-flip)

~$3K (this tx) lost · 2024-02-10 · Blockaid: dissecting TOCTOU attacks

high80/100

A time-of-check/time-of-use drainer. The signed transaction simulates benign, then the attacker flips on-chain state about 7 blocks later so execution sweeps the wallet through an opaque program (HkRd...oynz).

  • FULL_TOKEN_ACCOUNT_DRAINSends the full token-account balance out
  • UNKNOWN_PROGRAMInteracts with an unrecognized program
  • MANY_WRITABLE_ACCOUNTSMany writable accounts
Caught:The realized drain is flagged HIGH. And before signing, the opaque attacker program alone returns REQUIRE_HUMAN (do not auto-sign what you cannot inspect). This is the case simulation-only tools miss: the simulation was benign, the execution was a drain.
EPbgcCqc...3HwWZ8itVerify live ↗

Where static review does not help (honest)

Drift Protocol exploit

~$285M lost · 2026-04-01 · Chainalysis / QuillAudits

medium35/100

A DPRK-linked group socially engineered Drift's Squads multisig signers into pre-signing (via durable nonces) a governance transaction that handed program admin to the attacker, who then drained ~$285M.

  • UNKNOWN_PROGRAMInteracts with unrecognized programs
  • DURABLE_NONCE_PRESENTUses a durable nonce (delayed execution)
Honest limit:Honestly, the engine would NOT have blocked this. The damaging transaction was a valid multisig governance action, and the privilege handover was a Drift-specific UpdateAdmin CPI, not a System or SPL instruction we detect. We raise only a low durable-nonce note plus 'unknown program'. The root cause (key and governance compromise) is upstream of any transaction reviewer. What would help: per-program admin-change decoding, on the roadmap.
4BKBmAJn...ygB9RsN1Verify live ↗