Circle failed to intercept $420 million in USDC since 2022, according to ZachXBT

On-chain researcher ZachXBT said Circle may have failed to intercept up to $420M since 2022, after the stablecoin issuer froze some USDC but did not act within the first hours following a hack. ZachXBT argued Circle was too slow to freeze USDC after the Drift Protocol exploit, when the attacker was still holding some of the funds. Other protocols were also involved in partially freezing tokens, but not specifically USDC. ZachXBT also pointed to Tether’s response, saying it froze known addresses carrying USDT0 (a cross-chain token), helping salvage some losses. ZachXBT previewed that previous hacks total $420M since August 2022.

Drift Protocol hack: delayed freezes and bridge transfers

After the Drift Protocol hack, Circle had a six-hour window during which it received constant reports of addresses holding USDC. Despite USDC’s freeze function, ZachXBT said Circle did not act to intercept the funds during that period.

ZachXBT said the attacker used Circle’s native CCTP bridge to move $223M from Solana to Ethereum. The researcher also said Circle did not use bridge capabilities to stop the transactions. ZachXBT further noted that the same bridge was used in the Cetus Protocol hack, where Circle also did not act in time.

According to ZachXBT, the USDC exploit address was only frozen weeks after the incident, after the stablecoins had already been converted to ETH.

USDC’s role on Solana and the “freeze” narrative

USDC accounts for the bulk of liquidity on Solana. The stablecoin was marketed as fully regulated and safer due to the freeze function. Over time, USDC became a preferred asset for DEX trading and lending pools.

In total, Solana holds $14.8B in stablecoins, including $8.6B in USDC.

Impact on DeFi security expectations

DeFi safety and “institutional-grade” security have been key crypto narratives, supported by the expectation that the freeze function could reduce losses. The latest exploit, however, highlighted that USDC was not a failsafe tool and could not protect DeFi lenders from losses.

Broader pattern: attacks, detection, and ad hoc freezing

ZachXBT said increased DeFi attacks often occur during bull markets, but noted the past quarter was a relatively busy period with notable attacks against smart contracts and protocols—showing that Web3 remained a target even during a bear market.

The researcher also said alerting and intercepting funds is still handled on an ad hoc basis, often identified by on-chain researchers rather than a standardized process. ZachXBT added that Web3 protocols frequently rely on multisig wallets, which can introduce additional risk and expose Solana DeFi to other exploits.

What remains unclear

For now, Drift Protocol has not explained how the attacker gained access to some of the multisig keys, though ZachXBT said a social engineering exploit is probable. ZachXBT also suggested other protocols may have similar vulnerabilities or insider exposure.