We've spent years in the depths of Solana security, and the last
12 weeks gave us our clearest picture yet of the ecosystem's
overall security posture. While we're not where we want to be, that's
exactly why this work matters. Launched in partnership with the Solana Foundation, STRIDE showed us the recurring patterns,
the gaps we need to close, and the opportunity ahead of us to raise
the bar.
The protocols going through STRIDE are doing something most of the
industry is not: applying to go through an independent review. This puts
them ahead of most of the industry, and gives us all a rare, honest look
at where Solana security actually stands. Here is what we are seeing.
Logging and alerting needs the most work. Only ~17% of assessed protocols are actively applying comprehensive logging and alerting controls. Most teams have limited visibility into what is happening on-chain and off.
Operational security is an early-stage practice for most teams. Only ~13% demonstrate mature practices. Unmanaged devices, broad access, and keys stored on disk show up consistently.
Supply chain hygiene has significant room to grow. Only ~13% use verifiable builds. Most protocols have limited provenance over the artifacts running in production.
Program security is only half the picture. Only ~9% of protocols showed advanced defense-in-depth at the program layer, and the on-chain circuit breakers and off-chain IR that should catch any failures that slip through were even rarer.
Why this matters
Web3 security failures are rarely just smart contract bugs. Again
and again, attacks land through security essentials we already
know how to manage: weak key management, overpowered admin roles,
compromised frontends, missing monitoring, and unsafe operational
processes.
Code review matters, but it is only one control in a much larger
system. Real security treats a protocol like load-bearing
production infrastructure: map trust assumptions, harden upgrade
paths, lock down supply chains, rehearse incident response, and
keep measuring maturity across the whole stack. None of this is
new. It is the boring, battle-tested fundamentals, applied with
the discipline that systems holding immutable money demand.
How STRIDE works
STRIDE defines security requirements across eight pillars, giving
protocols a clear baseline to measure and improve against.
Program security
Governance
Oracle / external dependencies
Infrastructure
Supply chain / release process
Operational
Monitoring & incident response
Logging & alerting
Each of the 40 controls is scored on a 4-point maturity scale, and
pillar scores are combined to produce an overall security posture
rating.
0
Not implemented
Absent or entirely ad hoc
1
Basic
Initial implementation with significant gaps
2
Mature
Consistent implementation with minor gaps
3
Advanced
Comprehensive implementation with continuous improvement
Assessments run in two stages.
→Protocols first complete a self-assessment against all 40 controls.
→STRIDE assessors then review the results and, where possible,
work directly with the team to verify and score each control.
Our first wave of assessments surfaced the findings below. One
pattern stood out early: the most critical exposures are in
operational practices and detection layers, areas often left
untouched by audits.
Inadequate logging and alerting
~17%
Current state
Only ~17% are actively applying comprehensive logging and alerting controls. The majority of assessed protocols entirely lack centralized logging and alerting. They do not actively monitor for anomalous patterns on-chain or off-chain, and invariants are not accounted for in security measures.
The risk
Without real-time alerting, an active exploit can go unnoticed for hours or days. The inability to detect malicious behavior means attackers can systematically drain protocol liquidity without automated circuit breakers intervening or waking developers. By the time the team realizes an attack is occurring, the funds are already irreversibly lost. This is not limited to on-chain activity. The lack of logging and alerting in traditional environments, whether developer laptops, the infrastructure running off-chain resources, or SaaS products, all become blind spots in the staging of on-chain attacks.
Operational security, endpoint hardening, and key management failures
~13%
Current state
Only ~13% demonstrate mature operational security practices. The standard observed is unmanaged devices, which co-mingle personal attack surfaces with protocol development or signing environments. Developers often have broad-reaching, unchecked access to the entire development and production infrastructure pipeline. Beyond this, the ability to move funds or adjust key program parameters is often protected by a single key, which in some cases is even stored directly on disk.
The risk
Exploitation of a contributor endpoint can lead to compromised deployer keys, admin credentials, cloud access, CI/CD privileges, or access to signing workflows, enabling tampering with deployments, frontends, dependencies, or operational infrastructure. Because many environments lack endpoint hardening, access segmentation, and robust key management, a single compromised device may enable lateral movement across development, production, and signing systems. When critical protocol actions are protected by single keys or keys stored on disk, this can lead to unauthorized upgrades, parameter manipulation, fund transfers, service disruptions, or a complete protocol takeover.
Vulnerabilities in supply chain and release processes
~13%
Current state
Only ~13% use verifiable builds throughout their development and production pipelines, or take measures to prevent resource manipulation along the way. The lack of provenance goes beyond dependencies to artifacts constructed and utilized throughout development and operational environments. There are also frequent opportunities for a single actor to bypass intended security constraints.
The risk
A compromised dependency during the build process can infect the protocol's core binaries before they are even deployed. The ability for a threat actor to utilize compromised credentials to not only push malicious code into a main branch, but also to circumvent controls put in place to prevent this by virtue of broad administrative access can lead to end-to-end compromise. Where strong controls exist to protect the development pipeline, a lack of provenance for builds and enforcement when using artifacts in production might lead to the direct injection of malicious code.
Minimal circuit breakers and emergency response functions
~17%
Current state
Only ~17% of protocols include advanced IR capabilities that plan for unexpected outcomes, despite the overall lack of known exploitable bugs. There is frequently a lack of both on-chain and off-chain circuit breaker implementations with diverse coverage to include invariant violation. The built-in capability to respond to security events in an isolated manner is also rare, with most implementations relying on a single-protocol kill switch that is manually activated.
The risk
Traditional code review looks for the capability to exploit a protocol for its funds, which provides a good layer of security. However, you should also design your program so that if that security fails, protective actions come into play. Assuming that an impossible outcome cannot happen while failing to create a response function for when it does leaves you defenseless when an attacker achieves the unthinkable. While establishing a comprehensive set of protective scenarios is essential, failure to isolate these defenses to specific functions or capital pools can exacerbate the fallout from an exploit. A truly resilient response relies on the ability to compartmentalize risk and integrate multiple defensive factors to limit the overall impact on users.
Early signals
Protocols routinely overrate their own security posture
A consistent pattern we observed was a meaningful gap between
self-reported scores and what independent review surfaces.
Controls marked complete often had partial coverage or
workarounds that only emerged under scrutiny.
This is not a criticism of the teams, but highlights what
STRIDE was designed to find. Nobody can see their own blind
spots, and the gap between what a team believes and what
review confirms is one of the most useful signals we get.
This could be due to a variety of factors.
→Resource-constrained teams. People often cover multiple roles without being an expert in
each. Teams may lack the staffing to properly address
security in depth across all disciplines.
→Lack of institutional security backgrounds. Teams without prior exposure to enterprise security,
regulated infrastructure, or formal audit and compliance
environments may not have seen what good defense-in-depth
looks like.
→Audit culture. Many teams have been conditioned to treat smart contract
audits as the main security milestone, creating a false
sense of security upon completion.
→Trust over formal security. Security is often entrusted to individuals rather than built
into systems, without accounting for the moment when that
trust is compromised.
Pressure to ship outweighs security
Many teams are under constant pressure to launch, grow their
user base, attract liquidity, and keep up with the pace of
web3. When time and money are limited, the work that helps
prevent future problems can lose out to the work that gets a
product live today.
Security may also not be the team's main specialty, or
something they can afford to staff deeply. So teams often make
practical trade-offs to keep moving, even when that means some
risks are not yet fully understood or addressed. This is
usually not carelessness; it is the reality of small teams
trying to build serious infrastructure under startup-level
constraints.
What is next
STRIDE is only 12 weeks old. Here is what comes next.
→A larger dataset. More assessments mean more signal. Patterns that are
directional now will become statistically robust as the number
of participating protocols grows.
→Framework refinement. Real assessment data is already informing how we run the
process and weight controls. Expect the framework to keep
evolving based on what we find in practice.
→A rising bar. As more protocols participate, STRIDE increasingly becomes a
reference point. Every assessment makes our overall ecosystem
better.
A stronger Solana
We understand the constraints: security takes both time and money
that could otherwise go toward shipping features or bootstrapping
liquidity. A prevented attack leaves no trace, so its value is
almost impossible to feel until the day a successful one makes it
impossible to ignore. These are real pressures, and they are why
security depth so often loses to the demands of right now.
Every team in STRIDE chose to rise to the challenge, and that
takes a kind of nerve the whole ecosystem should respect.
Knowing exactly where we stand lets us set a north star for where
Solana security needs to go next. The ecosystem has never been
short on ambition or stamina; we move fast and stick with hard
problems until they are solved. Raising the water level for
everyone has always been core to our ethos, and that is what
STRIDE is here to do: strengthen the ecosystem and protect what we
have collectively worked so hard to build.
Every STRIDE assessment helps us build a more secure Solana.