CRIF$CRIF

See What You Sign.
Before The Nonce Fires.

CRIF is a transaction legibility and simulation engine for Solana. Decodes what an instruction actually does, diffs state against live RPC, and flags the exact shape that drained $285M out of Drift on April 1, 2026.

View on GitHubSee the Output
CAFEVmEp8gcN7iqpGYuhzhENM7adaiFvYsQofg7zYspump
programs08
instructions80+
tests28/28
drift patterndetected
offline modeyes
risk levels4
01 // how it works

Four Stages. One Report.

Every transaction passes through a deterministic pipeline. No heuristics, no ML, no guessing. The engine fetches, simulates, decodes, and classifies in a single pass.

01

Fetch

Pre-state snapshots for every writable account via RPC

02

Simulate

simulateTransaction with accounts config returns post-state

03

Decode

8 program decoders resolve every instruction by discriminator

04

Classify

Risk merge + durable nonce detection + Drift pattern flag

02 // drift 2026

$285M. Twelve Minutes.
Two Signatures.

On April 1, 2026 a North-Korea-linked group drained 285 million USD from Drift Protocol's Squads multisig. They did not exploit a bug. They did not steal a key. They spent six months posing as a quant firm, then got two council members to pre-sign a routine-looking transaction whose payload was a config_transaction_execute. The pre-signed tx was wrapped in a durable nonce, so it did not expire. The attacker sat on it for a week, then fired. Twelve minutes later the treasury was on Ethereum.

6 months before
Attacker poses as a quant trading firm, builds trust with Drift contributors
social engineering
2026-03-23
Four durable-nonce accounts created; two council members sign transactions under "routine upgrade" framing
pre-signed
2026-04-01 12:00
Attacker submits the pre-signed config_transaction_execute txs — admin authority transferred in 4 slots
admin hijack
+ 1 minute
Fake CVT token whitelisted as collateral, 500M CVT deposited, real USDC / SOL / ETH withdrawn
drain started
+ 12 minutes
$285M out of the vault, most bridged to Ethereum within the hour
game over
now
This engine detects the exact transaction shape before you sign it
detected
03 // engine output

The Report Drift Never Got.

Below is the verbatim terminal output of the engine consuming a synthesized versioned-transaction whose shape matches the April 2026 Drift exploit. Reproduce it with cargo run --example drift_attack.

sle simulate --tx $ATTACK_B64 --offline
================================================================
 SOLANA TRANSACTION LEGIBILITY REPORT
================================================================
 Signature:    4dLPchZ8d2eCX2eobPtT9eN4DHwxmWZZomvPiqQkdwg...
 Fee payer:    4kfEfEk7HrCLpdqo3vtrMYYF9ehzCAm7i4wZeK5f6syi
 Simulation:   success
 Overall risk: CRITICAL
 ! DURABLE NONCE: yes - this transaction has no expiry
----------------------------------------------------------------
 Human-readable summary:

   [System Program] AdvanceNonceAccount
      ! Durable nonce advance — tx was prepared earlier and kept valid via nonce

   [Squads v4] config_transaction_execute
      ! Governance change being applied — may add/remove signers, lower threshold, or drop timelock
      ! This is the class of instruction used in the April 2026 Drift exploit

   [X] CRITICAL — this transaction matches the APRIL 2026 DRIFT EXPLOIT PATTERN: durable nonce + multisig admin execute. the attacker that drained $285M from Drift used exactly this shape — pre-signed governance actions that stay valid indefinitely. DO NOT SIGN without verifying the inner instructions AND the nonce account lifecycle.
----------------------------------------------------------------
 Instructions (2):
  #0 System Program :: AdvanceNonceAccount      [MEDIUM]
  #1 Squads v4      :: config_transaction_execute [CRITICAL]
================================================================
04 // decoder coverage

Eight Programs.
Eighty-Plus Instructions.

Every decoder lands in the same registry and emits the same LegibilityReport shape. Anchor programs go through a generic discriminator matcher; native programs (System, SPL Token, Token-2022) have custom decoders.

System Program

05
  • Transfer
  • CreateAccount
  • AdvanceNonceAccount
  • InitializeNonceAccount
  • Allocate

SPL Token

06
  • Transfer
  • TransferChecked
  • MintTo
  • Burn
  • CloseAccount
  • SetAuthority

Token-2022

14
  • base instructions (tag 0-25)
  • permanent_delegate [CRITICAL]
  • non_transferable_mint
  • transfer_hook_extension
  • interest_bearing_mint

Squads v4

10
  • vault_transaction_create / execute
  • config_transaction_execute [CRITICAL]
  • proposal_create / approve / reject
  • multisig_create / v2 / set_config

Jupiter v6

10
  • route
  • shared_accounts_route
  • exact_out_route
  • route_with_token_ledger
  • create_open_orders

Drift v2

17
  • deposit / withdraw
  • place_perp_order / place_spot_order
  • liquidate_perp / liquidate_spot
  • update_user_delegate [HIGH]
  • settle_pnl / cancel_order

Kamino Lend

12
  • deposit_reserve_liquidity
  • borrow_obligation_liquidity [HIGH]
  • withdraw_obligation_collateral
  • liquidate_obligation
  • flash_borrow / flash_repay

MarginFi v2

11
  • lending_account_deposit / withdraw
  • lending_account_borrow [HIGH]
  • lending_account_liquidate
  • set_account_authority [CRITICAL]
  • flashloan start / end
05 // risk classification

Four Levels. No Ambiguity.

Every instruction receives a risk level. The engine merges them upward — if any single instruction is CRITICAL, the entire transaction is CRITICAL. No averaging, no weighting, no probability scores.

LevelMeaningExamples
LOWStandard operation with no elevated permissions or state riskSOL transfer, token transfer, close empty account
MEDIUMOperation involves nonce mechanics, authority changes, or non-trivial state mutationAdvanceNonceAccount, SetAuthority, place_perp_order, deposit_reserve_liquidity
HIGHBorrows, liquidations, delegate changes, or operations that can move funds under external controlborrow_obligation_liquidity, update_user_delegate, lending_account_borrow, liquidate_perp
CRITICALGovernance takeover, permanent delegation, or the Drift 2026 exploit pattern detectedconfig_transaction_execute + durable nonce, permanent_delegate, set_account_authority
06 // tech stack

Not a Wallet. Not a Bridge.
A Lens.

A non-custodial pre-sign defense layer built for one specific job: showing you the ground truth of a transaction before your signature commits to it. Your keys never touch our code. Zero runtime panics, zero telemetry, zero network dependency in offline mode.

Solana SDK 2.0

RPC client, account decoder, transaction status

Anchor Discriminators

sha256('global:<name>')[0..8] matching for all Anchor programs

Tokio Async Runtime

Non-blocking RPC calls, concurrent account fetches

Clap CLI Framework

Type-safe argument parsing with derive macros

Next.js 16 + Spline

Documentation site with 3D hero and edge-rendered OG images

28 Offline Tests

Full decoder + classifier coverage without network dependency

07 // faq

Questions. Answered.

What does CRIF actually do?

Decodes Solana transactions into human-readable reports. It fetches pre-state for every writable account, simulates the transaction, resolves each instruction through program-specific decoders, and classifies the overall risk. The output tells you exactly what a transaction will do before you sign it.

Does it work offline?

Yes. The --offline flag skips RPC simulation and state diffing, but still decodes every instruction, detects durable nonces, identifies the Drift 2026 pattern, and assigns risk levels. Useful for air-gapped signing environments or when you just need structural analysis.

What is the Drift 2026 pattern?

The combination of a durable nonce (AdvanceNonceAccount as the first instruction) plus a Squads v4 config_transaction_execute. This is the exact transaction shape used to drain $285M from Drift Protocol on April 1, 2026. The attacker got council members to pre-sign governance actions wrapped in nonces that never expired, then submitted them a week later.

Which programs are supported?

8 programs: System Program, SPL Token, Token-2022, Squads v4, Jupiter v6, Drift v2, Kamino Lend, and MarginFi v2. Together these cover 80+ instructions. Anchor programs use a generic discriminator matcher; native programs have custom decoders.

Is there a token?

$CRIF on Solana. Community-driven, no DAO, no governance — the token is a signal of support, not a control mechanism. The engine itself is open source and non-custodial: it stays free, your keys stay yours, and the protocol stays the same regardless of token holders.

Can I use it as a library?

Yes. Add the crate as a git dependency in your Cargo.toml and import the decoder registry and report types directly. The public API exposes simulate_transaction, decode_instructions, and classify_risk as composable functions.