Asymmetric Research Publishes First STRIDE Findings After 12 Weeks Auditing Solana Protocols
STRIDE audited 40 Solana DeFi protocols: 17% have full logging, 13% mature key management, 9% advanced program defenses. First findings by Asymmetric Research.
Asymmetric Research has published the first public findings from STRIDE, a 12-week continuous security review program covering Solana SOL$78.18+3.6% DeFi protocols, with results that show most protocols still have significant operational security gaps even after passing traditional code audits.
The report, released June 30 at stride.asymmetric.re/first-findings, covers the initial wave of 40 protocols assessed under the program. STRIDE (Solana Trust, Resilience and Infrastructure for DeFi Enterprises) was launched in April 2026 in partnership with the Solana Foundation, and assesses protocols across eight security pillars rather than focusing solely on smart contract code.
What STRIDE Measures
The program evaluates each protocol against 40 controls organized under eight pillars: program security, governance, oracle and external dependencies, infrastructure, supply chain and release processes, operational security, monitoring and incident response, and logging and alerting. Each control is scored on a four-point maturity scale from zero (not implemented) to three (advanced). Asymmetric Research conducts an independent verification stage after protocols complete a self-assessment.
A key finding in the first report: self-reported completion often overstated real implementation. As Asymmetric Research noted in the report, "controls marked complete often had partial coverage or workarounds that only emerged under scrutiny." The organization attributed this to resource constraints and audit-culture norms rather than deliberate misrepresentation.
First-Wave Results Across 40 Protocols
The headline numbers from the first 12 weeks show most protocols are well below mature on the controls that matter most outside of code review.
Logging and alerting was the most widely missing control, with roughly 83% of the 40 protocols lacking comprehensive monitoring. On-chain anomalies, the early warning signs of an exploit in progress, can go undetected for hours or days without it. Systematic fund drains can proceed without triggering any alert.
Operational security and key management showed similarly low adoption. The findings describe common problems: unmanaged devices with elevated access, credentials stored on disk, and overpowered access scopes that could allow unauthorized program upgrades. That class of vulnerability is one a code audit will not catch, because the code itself may be correct.
Supply chain and release security, specifically whether protocols use reproducible and verifiable builds, sat at 13% adoption. Without provenance controls over production artifacts, a compromised dependency can introduce malicious code without touching the audited codebase.
Program-layer defense-in-depth, which covers circuit breakers, rate limits, and emergency pause functions that could isolate an exploit mid-execution, was at 9%. For protocols holding significant TVL, the absence of these controls means there is no mechanism to limit damage once an attacker has found a path in.
How STRIDE Scores and Reports Protocol Security Posture
The report is an assessment of operational security posture, not a vulnerability disclosure. Asymmetric Research did not identify specific protocol names or publish exploit-ready findings. The purpose is to establish a baseline: a measurable picture of where the ecosystem stands across these categories, and a clear target for individual protocols to improve against.
STRIDE evaluates against a published framework, scores protocols against it, and produces a risk tier rating per protocol. For protocols exceeding $10M in TVL that pass the assessment, the Solana Foundation funds ongoing threat monitoring and operational security support. Formal verification is available for protocols above $100M TVL. These benefits are conditional on passing the assessment, not automatically granted.
Why Asymmetric Research Built STRIDE After the Drift Protocol Exploit
STRIDE's creation followed the April 2026 Drift Protocol exploit: the Solana Foundation and Asymmetric Research announced the program days after that incident. The episode showed that code-only audit programs leave significant attack surface unaddressed, particularly around operational controls that live outside the contract code itself.
Asymmetric Research's position in STRIDE is as an independent assessor, not a co-auditor with protocols. The organization brings prior incident response experience across the Solana ecosystem. Its partner network for STRIDE includes over 25 security vendors covering fuzzing, formal verification, static analysis, and bug bounties, among them Trail of Bits, Certora, Immunefi, and Sherlock.
The companion initiative to STRIDE is SIRN, the Solana Incident Response Network. SIRN is a membership-based network of security firms with coordinated response capabilities. Founding participants include Asymmetric Research, OtterSec, Neodyme, Squads, and ZeroShadow.
STRIDE's Next Phase: Expanding Beyond the Initial 40 Protocols
Asymmetric Research described this report as the first in a series of updates. The program plans to expand the assessment dataset beyond the initial 40 protocols, refine its framework based on empirical results, and establish a durable ecosystem-wide security baseline that can be tracked over time.
The 40 protocols in the first wave are not individually named in the public findings. The organization's stated model publishes aggregate and anonymized findings in the first instance, with protocol-level disclosure handled separately. For protocols that pass the assessment, results are made publicly available to users and investors.
The findings are available in full at stride.asymmetric.re/first-findings.
Comments
Please login to leave a comment.
Contents
Related Content
Mega Bullish Solana with Joe McCann - ep. 11
Joe McCann: Modern Day Crypto Investing
Technology, Capital, Culture w/ Joe McCann
Work for Higher: Asymmetric's Joe McCann on Solana, Culture, and Crypto Innovation
Breakpoint 2023: Auditor's Panel
Solana Program Security Audits and Bounties with David from MadShield - Solfate Podcast #27
Solana Changelog April 18 - Automatic Repair, Saga, and Helium
Breakpoint 2024: Fireside: Where's the Alpha: Liquid or Venture?
Ship or Die 2025: University Research Driving Innovation
Scale or Die Accelerate 2025: Researching Validator Behavior to Ensure Chain Health
Breakpoint 2024: Technical Talk: Fuzzing Comes to Solana (Viktor Fischer)
Solana Changelog April 18 - Automatic Repair, Saga, and Helium
Solana Changelog: Saga Launch, Helium Migration, and Core Community Call
Breakpoint 2025: Security Block: Almanax (Francesco Piccoli)
Researching the Solana Ecosystem: Challenges, Learnings, and Opportunities
Latest news
Solana Tokenized Asset Spot Volume Hits $5.77B Q2 2026 All-Time High, Raydium Leads All Venues
Bending Spoons' BSPx Is Now Live on Solana via xStocks
Solana Launches Onchain Governance With SGPs, Giving Validators a Formal Vote on Protocol Direction
Forward Industries Adds Over 500,000 SOL in Fiscal Q3, Bringing Total Treasury to 7.55 Million SOL
Marinade and Solana Venezuela Build On-Chain Yield Donation for Earthquake Relief
Asymmetric Research Publishes First STRIDE Findings After 12 Weeks Auditing Solana Protocols
Solana dApps Generated $257M in Q2 2026 Revenue, Leading All Blockchains for Ninth Straight Quarter
Kamino Finance Adds Hyperithm as Curator for New USDC Apex Vault on Solana
Backpack EU Completes EU Regulatory Trifecta with MiCA and Payment Institution Licenses
Sonic SVM Launches North Star, Giving Every AI Agent Its Own Private Execution Session on Solana
Solana Token Markets
