On-chain activity
Asymmetric Security
Asymmetric Research provides blockchain security services, including vulnerability research, embedded security engineering, and incident response. The service identifies security issues in smart contracts and blockchain infrastructure using coordinated disclosure processes.
Asymmetric Infrastructure
Asymmetric operates validator infrastructure and services for multiple blockchain networks.
Asymmetric Research news, features & analysis
Matched from published articles, podcasts, and talks using the project name, token name, or token symbol.
-
Asymmetric Research Publishes First STRIDE Findings After 12 Weeks Auditing Solana Protocols
Asymmetric Research conducts an independent verification stage after protocols complete a self-assessment. ... As Asymmetric Research noted in the report, "controls marked complete often had partial coverage or workarounds that only emerged under scrutiny." The organization attributed this to resource constraints and audit-culture norms rather than deliberate misrepresentation.
-
Breakpoint 2025: Security Block: Asymmetric Research
These aren't hypothetical scenarios—they're real security flaws discovered by Asymmetric Research in production Solana programs over the past year. ... - Asymmetric Research discovered a vulnerability in Marginfi that could have led to $160 million in losses through flash loan exploitation
Asymmetric Research
Asymmetric Research
TLDR
Asymmetric Research (AR) is a blockchain security firm founded in August 2023 under the tagline "Enabling Secure Innovation." Rather than delivering one-off point-in-time audits, the firm embeds directly into client engineering teams through multi-month or multi-year partnerships, systematically reducing attack surface over time. On Solana specifically, AR has become one of the most prominent security organizations in the ecosystem, launching the STRIDE ecosystem-wide security evaluation program with the Solana Foundation, open-sourcing the Crucible coverage-guided fuzzing framework for Anchor programs, and operating high-performance Firedancer validators.
Core Mechanism and Philosophy
The central bet at Asymmetric Research is that point-in-time audits fail to address the operational and systemic vulnerabilities that cause real-world exploits. Most high-profile DeFi losses trace not to missed smart-contract logic errors, but to weak key management, absent monitoring, incomplete incident response plans, and supply chain weaknesses. AR's model is built around long-term embedded engagement: researchers join client teams as integrated contributors, participating in code reviews, design discussions, and ongoing threat modeling rather than reviewing a fixed codebase for a defined fee.
This "embedded security engineering" model is complemented by full-service security programs that span strategy through execution, coordinated vulnerability disclosure research, and emergency incident response. The firm claims to have recovered over $300 million in digital assets through its incident response work.
The CEO is Jonathan (handle @claudijd), who previously led the offensive security team at Mozilla. The research team includes Felix Wilhelm, Denis Kolegov, Liam Wachter, John Saigle, Magnus Woodgate, Maxwell Dulin, and John Bottoms, all of whom publish technical research publicly on the AR blog.
Key Services
Embedded Security Engineering is AR's flagship offering. Researchers integrate directly into a protocol team for an extended period, eliminating bug classes systematically rather than cataloging issues at a snapshot in time.
Incident Response covers emergency engagement when a protocol is actively being exploited or has suffered a loss. AR has been involved in some of the largest DeFi incident responses, working with clients including Wormhole, Jump Crypto, Jito Labs, Euler Finance, Immunefi, and KyberSwap.
Security Research and Coordinated Disclosure produces original vulnerability research that AR publishes publicly. Recent examples include a marginfi flash loan vulnerability that put $160M at risk (found and disclosed before exploitation), a Relay Protocol Ed25519 verification bypass that could have allowed forged allocator signatures and double-spends in cross-chain liquidity, a missing access-control check in the Pragma oracle on Starknet that could have disabled core price feeds, and an event spoofing vulnerability in Across Protocol's Solana integration.
Blockchain Validation involves running high-integrity validator infrastructure on multiple networks, giving AR hands-on perspective on the operational security challenges protocols and node operators face.
Solana-Specific Work
AR has made Solana its most active ecosystem for both research and infrastructure.
STRIDE is a comprehensive independent security review program launched in partnership with the Solana Foundation. After 12 weeks auditing 40 Solana DeFi protocols, AR published its first findings using a framework of 40 controls across eight security pillars: program security, governance, oracle and external dependencies, infrastructure, supply chain and release process, operational practices, monitoring and incident response, and logging and alerting. Each control is scored on a four-point maturity scale, with protocols first self-assessing and then undergoing independent verification.
The initial STRIDE findings exposed significant gaps: only 17% of assessed protocols had mature logging and alerting capabilities, meaning active exploits could operate undetected for extended periods. Only 13% had mature operational security practices; common failures included unmanaged developer devices co-mingling personal attack surfaces with protocol development and single private keys protecting critical functions. Only 13% used verifiable builds across their supply chains. Self-reported security scores consistently exceeded independently assessed scores, revealing that teams lacked visibility into their own weaknesses. STRIDE makes its findings public to drive transparency across the Solana ecosystem.
Crucible is a coverage-guided fuzzing framework for Solana programs built by AR and released as open source in May 2026. Designed specifically for the Anchor framework with Anchor v2 support from launch, Crucible integrates directly into the Anchor CLI and runs via standard commands with no separate setup. It exposed a years-old bug in Solana's native stake program within seconds of being run against it. AR's own deployment of Crucible for fuzzing the Commonware runtime runs 90 targets continuously, surfacing over 60 bugs across its primitives.
Validator Operations AR runs Solana validators, including a Firedancer validator that ranked seventh by median block reward among all validators with over 400,000 SOL in stake. The firm participates in the DoubleZero network (co-branded validator) and the Fogo Chain network, and is a beta validator partner for Pyth Finance.
Anchor Bounty Program AR co-hosts the Anchor bug bounty program with the Solana Foundation, focused on strengthening the Anchor framework security for the broader ecosystem.
Open Protocol Security Coalition (OPSeC) AR is a founding partner alongside DeFi Fund and SEAL Org in OPSeC, an initiative that curates free cybersecurity resources, hosts educational events, and engages with policymakers and regulators on open-source protocol security.
Tooling and Research Output
AR's blog publishes peer-reviewed technical vulnerability disclosures and security research, with named authors and code-level analysis. Topics span Solana program vulnerabilities and security misconceptions, cross-chain bridge edge cases, oracle manipulation, supply chain risks in GitHub Actions CI pipelines, and agent auditing. AR also open-sourced a prototype for measuring code coverage when AI coding agents audit a codebase.
AR participated as a security partner for the Monad client's open-source audit competition on Code4rena, which carried a $500,000 prize pool.
Tokens and Assets
Asymmetric Research has no protocol token. The firm operates as a professional services and infrastructure company; its business model is fee-based engagements and validator rewards rather than token issuance.
Solana Ecosystem Fit
AR is deeply integrated into the Solana ecosystem across multiple layers: as a security partner to major protocols, as a validator running Firedancer infrastructure, as the operator of the Solana Foundation's STRIDE program, and as the author of Solana-native open-source tooling like Crucible. The firm's long-term embedded engagement model fits Solana's culture of close builder relationships and rapid iteration, and its public research output directly benefits the ecosystem by surfacing systemic vulnerabilities and correcting security misinformation. As Solana's DeFi TVL has grown, the need for AR's style of operational and infrastructure security has grown alongside it.
Contents
- TLDR
- Core Mechanism and Philosophy
- Key Services
- Solana-Specific Work
- Tooling and Research Output
- Tokens and Assets
- Solana Ecosystem Fit
Solana Token Markets
