The Solana Foundation announced a series of security initiatives on Monday, just five days after decentralized finance (DeFi) platform Drift Protocol suffered a $270 million exploit carried out by a group affiliated with the North Korean state following a six-month social engineering campaign.
The centerpiece is Stride, a structured evaluation program led by Asymmetric Research that will evaluate Solana DeFi protocols against eight security pillars and publish its results publicly. The foundation also launched the Solana Incident Response Network (SIRN), a group of security companies and researchers focused on real-time crisis response.
The initiatives address part of the problem exposed by Drift, but not the mechanisms that actually caused the loss. Drift’s smart contracts have not been compromised and its code has passed audits. The vulnerability was human: the attackers spent six months building relationships with Drift contributors and compromised their devices through a malicious code repository and a fake TestFlight app.
Under Stride, protocols with a total value locked (TVL) of more than $10 million that pass the assessment will benefit from ongoing operational security and active threat monitoring funded by Solana Foundation grants, with coverage calibrated based on each protocol’s risk profile.
For protocols with more than $100 million in TVL, the foundation will also fund formal verification, a mathematical method that verifies every possible execution path in a smart contract to ensure correctness.
In addition to Ametric Research, founding members include OtterSec, Neodyme, Squads and ZeroShadow. The network is available for all Solana protocols but prioritized by TVL.
Read more: How North Korea’s 6-month secret spy program is causing the crypto community to rethink security
Stride’s formal verification, however, would not have detected the North Korean attack, which used the compromised devices to obtain multisig approvals that were then locked into durable temporary transactions and executed weeks later.
Nor would 24/7 monitoring of on-chain activity, as transactions were valid by design and indistinguishable from legitimate administrative actions until they were used to empty the vaults. The attack exploited the gap between on-chain accuracy and off-chain human trust, a gap that no smart contract auditing or monitoring tool is designed to bridge.
SIRN, however, could have contributed to the answer. ZachXBT, an onchain security expert, criticized stablecoin issuer Circle Internet (CRCL) for failing to freeze more than $230 million of its stolen dollar-pegged USDC during a six-hour window after the attack began.
A dedicated incident response network with established relationships with bridge operators, exchanges, and stablecoin issuers could have reduced response time. It remains an open question whether this would have been fast enough to prevent bridging and obfuscation of the wormhole via Tornado Cash.
The foundation was careful to note that the programs “do not transfer underlying responsibility for the protocols themselves,” a line that reads differently after Drift’s autopsy revealed that individual contributors’ devices were the entry point for a nation-state attack.
Solana already hosts several free security tools for builders, including Hypernative for threat detection, Range Security for real-time monitoring, and Neodyme’s Riverguard for attack simulation.
