The Solana Foundation announced a set of security initiatives on Monday, just five days after decentralized finance (DeFi) platform Drift Protocol suffered a $270 million exploit carried out by a group affiliated with the North Korean state following a six-month social engineering campaign.
The centerpiece is Stride, a structured evaluation program led by Ametric Research that will evaluate Solana DeFi protocols against eight security pillars and publish its findings publicly. The foundation also introduced the Solana Incident Response Network (SIRN), a group of security firms and researchers focused on real-time crisis response.
The initiatives address part of the problem exposed by Drift, but not the mechanics that actually caused the loss. Drift’s smart contracts were not compromised and its code passed audits. The vulnerability was human: the attackers spent six months building relationships with Drift contributors and compromised their devices through a malicious code repository and a fake TestFlight app.
According to Stride, protocols with more than $10 million in total value locked (TVL) that pass the assessment will receive continuous operational security and active threat monitoring funded by Solana Foundation grants, with coverage calibrated to each protocol’s risk profile.
For protocols with more than $100 million in TVL, the foundation will also fund formal verification, a mathematical method that verifies all possible execution paths in a smart contract to ensure correctness.
In addition to Ametric Research, founding members include OtterSec, Neodyme, Squads, and ZeroShadow. The network is available for all Solana protocols but is prioritized by TVL.
Read more: How North Korea’s six-month secret spy program is making the crypto community rethink security
However, formal Stride verification would not have detected the North Korean attack, which used the compromised devices to obtain multi-signature approvals that were then locked into durable nonce transactions and executed weeks later.
Neither would 24/7 monitoring of on-chain activity, because the transactions were valid by design and indistinguishable from legitimate administrative actions until they were used to empty the vaults. The attack exploited the gap between on-chain correctness and off-chain human trust, a gap that no smart contract monitoring or auditing tool is designed to cover.
SIRN, however, could have helped with the answer. ZachXBT, an on-chain security expert, criticized stablecoin issuer Circle Internet (CRCL) for failing to freeze more than $230 million of its stolen USDC pegged to the dollar for a six-hour period after the attack began.
A dedicated incident response network with established relationships with bridge operators, exchanges, and stablecoin issuers could have shortened the response time. Whether it would have been fast enough to prevent the wormhole from coalescing and obfuscating through Tornado Cash is an open question.
The foundation was careful to note that the programs “do not transfer the underlying responsibility of the protocols themselves,” a line that reads differently after Drift’s autopsy revealed that individual contributing devices were the entry point for a nation-state attack.
Solana already hosts several free security tools for builders, including Hypernative for threat detection, Range Security for real-time monitoring, and Neodyme’s Riverguard for attack simulation.
