Earn 5.75% APY staking with Solana Compass + help grow Solana's ecosystem

Stake natively or with our LST compassSOL to earn a market leading APY

Asymmetric Research Publishes First STRIDE Findings After 12 Weeks Auditing Solana Protocols

Solana 🧭 Compass By Solana 🧭 Compass

STRIDE audited 40 Solana DeFi protocols: 17% have full logging, 13% mature key management, 9% advanced program defenses. First findings by Asymmetric Research.

Asymmetric Research Publishes First STRIDE Findings After 12 Weeks Auditing Solana Protocols
A brass magnifying lens on an antique navigation desk examines holographic DeFi protocol icons arranged around a glowing Solana logo, representing Asymmetric Research's systematic security review of Solana ecosystem protocols.

Asymmetric Research has published the first public findings from STRIDE, a 12-week continuous security review program covering Solana SOL$78.18+3.6% DeFi protocols, with results that show most protocols still have significant operational security gaps even after passing traditional code audits.

Keep up to date with the Solana eco
Follow us on Google News

The report, released June 30 at stride.asymmetric.re/first-findings, covers the initial wave of 40 protocols assessed under the program. STRIDE (Solana Trust, Resilience and Infrastructure for DeFi Enterprises) was launched in April 2026 in partnership with the Solana Foundation, and assesses protocols across eight security pillars rather than focusing solely on smart contract code.

What STRIDE Measures

The program evaluates each protocol against 40 controls organized under eight pillars: program security, governance, oracle and external dependencies, infrastructure, supply chain and release processes, operational security, monitoring and incident response, and logging and alerting. Each control is scored on a four-point maturity scale from zero (not implemented) to three (advanced). Asymmetric Research conducts an independent verification stage after protocols complete a self-assessment.

A key finding in the first report: self-reported completion often overstated real implementation. As Asymmetric Research noted in the report, "controls marked complete often had partial coverage or workarounds that only emerged under scrutiny." The organization attributed this to resource constraints and audit-culture norms rather than deliberate misrepresentation.

First-Wave Results Across 40 Protocols

The headline numbers from the first 12 weeks show most protocols are well below mature on the controls that matter most outside of code review.

Comprehensive logging & alerting
~17%
Mature key management practices
~13%
Verifiable builds in use
~13%
Advanced program-layer defense
~9%

Logging and alerting was the most widely missing control, with roughly 83% of the 40 protocols lacking comprehensive monitoring. On-chain anomalies, the early warning signs of an exploit in progress, can go undetected for hours or days without it. Systematic fund drains can proceed without triggering any alert.

Operational security and key management showed similarly low adoption. The findings describe common problems: unmanaged devices with elevated access, credentials stored on disk, and overpowered access scopes that could allow unauthorized program upgrades. That class of vulnerability is one a code audit will not catch, because the code itself may be correct.

Supply chain and release security, specifically whether protocols use reproducible and verifiable builds, sat at 13% adoption. Without provenance controls over production artifacts, a compromised dependency can introduce malicious code without touching the audited codebase.

Program-layer defense-in-depth, which covers circuit breakers, rate limits, and emergency pause functions that could isolate an exploit mid-execution, was at 9%. For protocols holding significant TVL, the absence of these controls means there is no mechanism to limit damage once an attacker has found a path in.

How STRIDE Scores and Reports Protocol Security Posture

The report is an assessment of operational security posture, not a vulnerability disclosure. Asymmetric Research did not identify specific protocol names or publish exploit-ready findings. The purpose is to establish a baseline: a measurable picture of where the ecosystem stands across these categories, and a clear target for individual protocols to improve against.

STRIDE evaluates against a published framework, scores protocols against it, and produces a risk tier rating per protocol. For protocols exceeding $10M in TVL that pass the assessment, the Solana Foundation funds ongoing threat monitoring and operational security support. Formal verification is available for protocols above $100M TVL. These benefits are conditional on passing the assessment, not automatically granted.

Why Asymmetric Research Built STRIDE After the Drift Protocol Exploit

STRIDE's creation followed the April 2026 Drift Protocol exploit: the Solana Foundation and Asymmetric Research announced the program days after that incident. The episode showed that code-only audit programs leave significant attack surface unaddressed, particularly around operational controls that live outside the contract code itself.

Asymmetric Research's position in STRIDE is as an independent assessor, not a co-auditor with protocols. The organization brings prior incident response experience across the Solana ecosystem. Its partner network for STRIDE includes over 25 security vendors covering fuzzing, formal verification, static analysis, and bug bounties, among them Trail of Bits, Certora, Immunefi, and Sherlock.

The companion initiative to STRIDE is SIRN, the Solana Incident Response Network. SIRN is a membership-based network of security firms with coordinated response capabilities. Founding participants include Asymmetric Research, OtterSec, Neodyme, Squads, and ZeroShadow.

STRIDE's Next Phase: Expanding Beyond the Initial 40 Protocols

Asymmetric Research described this report as the first in a series of updates. The program plans to expand the assessment dataset beyond the initial 40 protocols, refine its framework based on empirical results, and establish a durable ecosystem-wide security baseline that can be tracked over time.

The 40 protocols in the first wave are not individually named in the public findings. The organization's stated model publishes aggregate and anonymized findings in the first instance, with protocol-level disclosure handled separately. For protocols that pass the assessment, results are made publicly available to users and investors.

The findings are available in full at stride.asymmetric.re/first-findings.

Solana 🧭 Compass
Solana 🧭 Compass
@SolanaCompass

Solana Compass is an independent Solana analytics and staking platform, operating a validator on Solana mainnet since September 2021. Its network statistics and...


Comments

Please login to leave a comment.

Related tokens Open token →

Solana tokens

Solana Token Markets

Explore all tokens →