Solana rolls out STRIDE security program after $286 million drift hack

The timing could not have been more pointed. Less than a week after Drift Protocol, Solana’s largest decentralized perpetual futures exchange, was drained of $286 million in what investigators suspect was a North Korean state-sponsored operation, the Solana Foundation announced Tuesday, a sweeping new security initiative designed to overhaul how the ecosystem protects itself against exactly these kinds of threats.

The foundation unveiled STRIDE, Solana Trust, Resilience and Infrastructure for DeFi Enterprises, a structured program developed in partnership with Web3 security firm Asymmetric Research, aimed at evaluating, monitoring, and escalating security across Solana-based protocols. 

Alongside it came SIRN, a companion incident response network built for real-time crisis coordination. Together, the two programs represent the most coordinated security push Solana has mounted since the ecosystem began scaling in earnest.

What the Drift hack exposed

Before getting into what STRIDE actually does, it’s worth understanding what prompted it. The April 1 attack on Drift began with an on-chain staging which started nearly three weeks earlier on March 11, with a single 10 ETH withdrawal from Tornado Cash. 

What followed was a months-long operation combining social engineering, oracle manipulation, and a governance exploit, all of which executed in roughly 12 minutes once the attackers moved.

The attacker drained funds by abusing a legitimate Solana feature called “durable nonces,” securing two misleading approvals from Drift’s five-member Security Council multisig, then using pre-signed transactions that remained valid for over a week to seize protocol-level control in minutes. 

The critical detail: weeks before the attack, the protocol had removed a timelock from its Security Council, a single governance change that converted a complex, multi-week operation into a 12-minute cash-out. 

Drift’s TVL collapsed from roughly $550 million to under $250 million following the attack, making it the largest DeFi hack of 2026 to date and the second-largest in Solana’s history, behind only the $326 million Wormhole bridge exploit in 2022. 

Security firms Elliptic and TRM Labs have linked the operation to DPRK-affiliated actors, citing laundering methodologies consistent with previous North Korean cyber campaigns.

It was the kind of attack that exposed not one flaw but several simultaneously, oracle integrity, governance hygiene, multisig operations, and monitoring gaps all contributed. STRIDE appears to be a direct response to that pattern.

How STRIDE and SIRN actually work

The program moves away from the traditional model of one-off audits and replaces it with continuous, foundation-funded protection scaled to each protocol’s size and risk profile. STRIDE is structured around eight security pillars covering operational security, access controls, multisig configurations, and governance vulnerabilities. 

Asymmetric Research conducts hands-on assessments of participating protocols and publishes findings in a public repository, giving users and investors direct visibility into the security posture of the protocols they interact with. 

The tiered structure is where it gets practical. For protocols with more than $10 million TVL that pass evaluation, STRIDE provides ongoing operational security and 24/7 active threat monitoring, funded by Solana Foundation grants. 

For protocols exceeding $100 million in TVL, the foundation will additionally fund formal verification, a mathematical, proof-based method that exhaustively checks every possible smart contract state and execution path. 

That last piece matters a lot. Formal verification is expensive, time-consuming, and out of reach for most smaller teams. Making it foundation-funded for larger protocols removes what has historically been an economic barrier.

The Solana Incident Response Network, or SIRN, runs parallel to STRIDE. Founding participants include Asymmetric Research, OtterSec, Neodyme, Squads, and ZeroShadow, firms that will share threat intelligence, coordinate responses to active incidents, and contribute to the ongoing evolution of STRIDE’s framework. 

SIRN is available to all Solana protocols but prioritized based on TVL, which is a reasonable if imperfect triage system. The foundation also noted that STRIDE comes amid a broader deterioration in DeFi security. 

Malicious actors stole over $168 million from 34 DeFi protocols in the first quarter of 2026, according to DefiLlama data, though that figure is sharply lower than the $1.58 billion stolen in the same period in 2025. A declining trend, but the persistence of attacks, and their increasing sophistication, suggests the threat is evolving faster than most defenses.

The foundation noted separately that AI agents are becoming an emerging threat vector. In January, $40 million was drained from Step Finance, a Solana DeFi platform, with AI agents reportedly amplifying the damage by executing large transfers autonomously. 

The foundation was careful to make one point clear: STRIDE does not transfer responsibility away from individual protocols. Teams managing significant user funds are still expected to maintain their own security practices. 

These tools are meant to raise the floor and not to replace the work protocols should be doing themselves, a distinction that matters, particularly given that Drift had received passing grades from two separate auditors, including one conducted just weeks before the April 1 attack.

Asymmetric Research noted that STRIDE’s public disclosure model is designed to give users, investors, and the broader ecosystem real transparency into the security posture of the protocols they interact with, which is arguably something the space has needed for a while.

Whether a program like STRIDE would have caught the Drift exploit before it happened is genuinely unclear. The attack exploited governance decisions and social engineering, not just code, and those are harder categories to evaluate on a checklist. But the direction is the right one, and for an ecosystem of Solana’s scale, having a coordinated, funded, and institutionalized security layer is overdue.