STRIDE Explained: 5 Solana DeFi Security Questions to Ask

On April 1, 2026, Solana's largest DeFi exploit of the year drained $270 million from Drift Protocol in under a minute. The attack didn't exploit a smart contract bug. It exploited a 2-of-5 multisig with zero timelock, social-engineered pre-signed transactions, and a fake collateral token whose oracle price had been manipulated through three weeks of wash trading.

According to Drift's post-mortem, the operation was a six-month intelligence campaign by a North Korean state-affiliated group (UNC4736 / AppleJeus / Citrine Sleet) that infiltrated the protocol's working network starting in fall 2025, met contributors face-to-face at major industry conferences across several countries, and deposited over $1 million of their own capital before executing. Devices were compromised through a malicious TestFlight app and a known VSCode/Cursor vulnerability, the kind of attack vectors most DeFi teams don't plan for.

Five days later, Solana Foundation announced STRIDE: a new ecosystem-wide security program led by Asymmetric Research. The connection isn't subtle, and as a SOL staker or Solana DeFi user, here's what it actually means for you.

What STRIDE actually is

STRIDE (short for Solana Trust, Resilience and Infrastructure for DeFi Enterprises) is a Foundation-funded program that evaluates Solana DeFi protocols against eight standardized security pillars. Independent security firms run the evaluations, and the findings are published in a public repository. It's not a one-time audit. It's an ongoing framework with three tiers based on Total Value Locked (TVL).

The tiering works like this: any protocol of any size gets access to SIRN incident response and free security tools (Hypernative, Range, Sec3 X-Ray, Riverguard). Protocols above $10M TVL also get a STRIDE evaluation and 24/7 active threat monitoring funded by Foundation grants. Protocols above $100M TVL additionally get Foundation-funded formal verification: a mathematical, proof-based method that verifies a smart contract's behavior across every possible state.

Alongside STRIDE, the Foundation launched SIRN (Solana Incident Response Network), a membership-based network of security firms providing 24/7 real-time response to active incidents. The five founding members are Asymmetric Research, OtterSec, Neodyme, Squads, and ZeroShadow. SIRN is open to any Solana protocol, with response priority based on TVL.

You can read the full announcement on the Solana Foundation security page.

One critical clarification that's easy to miss in the announcement: STRIDE participation is opt-in, not mandatory. Projects apply through an official form. Foundation doesn't automatically enroll any protocol, regardless of TVL. The $10M and $100M thresholds determine the level of support a protocol receives if it applies and passes; they're not enrollment requirements. A protocol with $500M TVL can simply choose not to apply, and nothing in the framework forces them to. As a user, "not on the STRIDE registry" is not a security verdict. It just means the protocol hasn't applied yet, or chose not to. Use the other signals: audit history, multisig disclosure, past incidents, team transparency.

What STRIDE doesn't cover

This is where the official announcement gets vague, and where it matters most for users with funds in DeFi.

Drift would have failed STRIDE, but maybe not the way you think. The exploit wasn't a code bug. The smart contracts worked exactly as written. The failure was operational: a multisig migration to a 2-of-5 threshold with zero timelock, combined with social-engineered pre-signed transactions that escalated privileges in minutes. STRIDE's framework explicitly mentions operational security as part of its scope, so in theory it could flag a 2-of-5 multisig with no timelock as a critical risk. But "could" depends entirely on how rigorously evaluators apply the framework. A box-checking audit and a rigorous one look very different from the outside.

It's reactive, not preventive, for now. STRIDE just launched. As of this writing, the public registry of evaluated protocols is essentially empty. Foundation has the framework and the funding in place, but the evaluations themselves take weeks to months per protocol. For the next several months, "STRIDE-certified" will be a small list, and "not yet evaluated" will include nearly every protocol you actually use.

TVL gaps. The threshold for ongoing 24/7 monitoring is $10M TVL. That excludes a lot of smaller projects, including the experimental and early-stage protocols where security failures are statistically most likely. It's a pragmatic threshold (Foundation has finite budget), but it leaves a real gap.

It doesn't cover economic exploits. Oracle manipulation, depeg events, governance attacks, MEV-related slippage: these are economic and game-theoretic, not technical. STRIDE focuses on code and operations. If a stable depegs because of a market panic, no security framework will save it. The Drift attack actually combined both, manipulated oracle price plus operational compromise, which makes it a useful test case for what STRIDE will and won't catch.

It can't fully defend against state-level adversaries. This is the uncomfortable truth from the Drift post-mortem. The DPRK-linked group ran a six-month operation: building trust, attending conferences, depositing real capital, getting onboarded as a trading firm. The individuals who showed up in person weren't even North Korean nationals. DPRK threat actors at this level deploy third-party intermediaries with constructed identities and professional networks built to withstand due diligence. The pre-signed malicious transactions then sat dormant for over a week before execution. STRIDE evaluates protocols. It doesn't evaluate trust between humans. No framework can fully defend against an adversary willing to spend half a year and seven-figure capital to look like a trusted partner. STRIDE makes the technical attack surface smaller, but social engineering at this scale needs different defenses.

So STRIDE is necessary but not sufficient. As a user, you still need to do your own due diligence. Here are five questions that matter most.

The 5 security questions every Solana DeFi user should ask

1. Did this protocol pass STRIDE, or any independent audit?

STRIDE is the new gold standard, but for now most protocols haven't been evaluated. In the meantime, look for independent audits from reputable firms: OtterSec, Neodyme, Halborn, Trail of Bits, Certora, Asymmetric Research. Multiple audits over time matter more than a single one. Security is continuous, not a snapshot.

For staking pools specifically: the SPL Stake Pool program used by JPool, Phase Delegation, and others has been independently audited nine times across five firms (Neodyme, Halborn, OtterSec, Quantstamp, Kudelski) and is shared infrastructure. That's a stronger baseline than a proprietary smart contract that's only seen one review.

How to check: read the protocol's docs, look for an "Audits" or "Security" section, verify the audit reports are linked publicly. If you can't find them in five minutes, that's already a signal.

2. What's the multisig configuration, and is there a timelock?

This is the question that would have caught Drift. Most protocols are controlled by a multisig: a group of signers who can collectively approve admin actions. Two parameters matter:

• Threshold: how many signatures are required out of the total. A 2-of-5 means any two compromised signers can take over. A 4-of-7 is meaningfully harder to attack.
• Timelock: how much time passes between when a transaction is approved and when it executes. Zero timelock means actions are instant, with no time for the community to spot something wrong.

Minimum acceptable for any protocol holding meaningful TVL: 3-of-5 with 24-hour timelock. Better: 4-of-7 with 48-hour timelock. Drift's setup: 2-of-5 with 0 timelock. The numbers tell a story.

How to check: look at the protocol's docs (most reputable teams publish their multisig setup), or use Squads and Solscan to inspect the on-chain multisig directly.

3. Is the protocol formally verified?

Formal verification is the highest level of security guarantee available: a mathematical proof that the smart contract behaves correctly across every possible state and execution path. It's expensive ($100K-$500K per protocol), so it's rare. STRIDE now funds it for protocols above $100M TVL, which should expand the list significantly over the next year.

Reality check: as of April 2026, only a small handful of Solana protocols have any form of formal verification. Don't expect this for your average protocol. Treat it as a "nice to have" rather than a baseline requirement, for now.

4. Does the protocol have SIRN coverage?

SIRN is incident response, not prevention. When something goes wrong, having a coordinated network of five security firms ready to respond within minutes can make the difference between "we caught the exploit and froze the funds" and "we're issuing a post-mortem in three weeks." A lot of historical Solana hacks could have been mitigated with faster response. Drift's stolen funds were bridged out within hours, leaving an extremely narrow recovery window. With SIRN coverage, that window is the difference between recovery and total loss.

How to check: SIRN membership will be public information, and protocols that opt in are likely to advertise it.

5. How does the team handle past incidents?

Security isn't just about the code. It's about the people. Look at the team's track record: have there been previous exploits or close calls? How quickly did they respond? Did they publish a detailed post-mortem? Were users compensated, and how? Did the team change practices afterward, or did they downplay the issue?

Red flags: vague post-mortems, blame-shifting to "bad actors" without acknowledging operational gaps, no compensation for affected users, no follow-up changes.

Green flags: detailed technical post-mortems (Solend, Mango, Marinade have all published good ones), clear root-cause analysis, demonstrated changes to prevent recurrence, transparent compensation. A team that's been tested and responded well is often safer than a team that's never had to respond at all.

Top Solana DeFi protocols and their STRIDE eligibility

Here are the largest Solana DeFi protocols by TVL, as of April 2026. All of them are eligible for STRIDE based on TVL. They're all above the $10M threshold, and most are above the $100M threshold for Foundation-funded formal verification. None has publicly confirmed enrollment yet, because the program just launched.

Why this list and not just liquid staking pools? These are the protocols where the most user funds sit on Solana, and where a security failure has the largest impact on the ecosystem. They span lending, perpetuals, DEXs, and liquid staking. They are exactly the surface area STRIDE was designed to cover.

The honest summary right now: every major protocol on Solana could be in STRIDE within the next year, but none are today. As a user, your evaluation has to rely on the public information available: audits, multisig disclosure, incident history, and team responses. STRIDE will eventually become a useful baseline. Until then, the five questions above are the framework.

Security in DeFi isn't a checkbox you tick once. It's an ongoing posture, and the questions you ask determine what you're actually risking.

Where this leaves you

The Drift hack was a wake-up call. STRIDE and SIRN are Solana Foundation's structural response, the most comprehensive security program any L1 has launched. But programs don't replace personal due diligence. The five questions in this post will protect you regardless of which protocol, pool, or product you put your funds in.

If you're on the other side of the equation, running or planning a Solana validator, we built Pools Advisor, a free tool that compares all 13 active delegation programs side by side. Our walkthrough article shows what it does and how validators use it to plan their delegation strategy.

Follow @lumlabs for updates as STRIDE rolls out and more Solana protocols enroll.