Asymmetric Research Asymmetric Research × Solana Foundation Solana Foundation
June 2026

The State of Solana Security

First Findings from STRIDE

We've spent years in the depths of Solana security, and the last 12 weeks gave us our clearest picture yet of the ecosystem's overall security posture. While we're not where we want to be, that's exactly why this work matters. Launched in partnership with the Solana Foundation, STRIDE showed us the recurring patterns, the gaps we need to close, and the opportunity ahead of us to raise the bar.

The protocols going through STRIDE are doing something most of the industry is not: applying to go through an independent review. This puts them ahead of most of the industry, and gives us all a rare, honest look at where Solana security actually stands. Here is what we are seeing.

Logging and alerting needs the most work. Only ~17% of assessed protocols are actively applying comprehensive logging and alerting controls. Most teams have limited visibility into what is happening on-chain and off.

Operational security is an early-stage practice for most teams. Only ~13% demonstrate mature practices. Unmanaged devices, broad access, and keys stored on disk show up consistently.

Supply chain hygiene has significant room to grow. Only ~13% use verifiable builds. Most protocols have limited provenance over the artifacts running in production.

Program security is only half the picture. Only ~9% of protocols showed advanced defense-in-depth at the program layer, and the on-chain circuit breakers and off-chain IR that should catch any failures that slip through were even rarer.

Why this matters

Web3 security failures are rarely just smart contract bugs. Again and again, attacks land through security essentials we already know how to manage: weak key management, overpowered admin roles, compromised frontends, missing monitoring, and unsafe operational processes.

Code review matters, but it is only one control in a much larger system. Real security treats a protocol like load-bearing production infrastructure: map trust assumptions, harden upgrade paths, lock down supply chains, rehearse incident response, and keep measuring maturity across the whole stack. None of this is new. It is the boring, battle-tested fundamentals, applied with the discipline that systems holding immutable money demand.

How STRIDE works

STRIDE defines security requirements across eight pillars, giving protocols a clear baseline to measure and improve against.

Program security
Governance
Oracle / external dependencies
Infrastructure
Supply chain / release process
Operational
Monitoring & incident response
Logging & alerting

Each of the 40 controls is scored on a 4-point maturity scale, and pillar scores are combined to produce an overall security posture rating.

0
Not implemented
Absent or entirely ad hoc
1
Basic
Initial implementation with significant gaps
2
Mature
Consistent implementation with minor gaps
3
Advanced
Comprehensive implementation with continuous improvement

Assessments run in two stages.

  • Protocols first complete a self-assessment against all 40 controls.
  • STRIDE assessors then review the results and, where possible, work directly with the team to verify and score each control.

What we found: trends and patterns

Our first wave of assessments surfaced the findings below. One pattern stood out early: the most critical exposures are in operational practices and detection layers, areas often left untouched by audits.

Inadequate logging and alerting
~17%
Current state

Only ~17% are actively applying comprehensive logging and alerting controls. The majority of assessed protocols entirely lack centralized logging and alerting. They do not actively monitor for anomalous patterns on-chain or off-chain, and invariants are not accounted for in security measures.

The risk

Without real-time alerting, an active exploit can go unnoticed for hours or days. The inability to detect malicious behavior means attackers can systematically drain protocol liquidity without automated circuit breakers intervening or waking developers. By the time the team realizes an attack is occurring, the funds are already irreversibly lost. This is not limited to on-chain activity. The lack of logging and alerting in traditional environments, whether developer laptops, the infrastructure running off-chain resources, or SaaS products, all become blind spots in the staging of on-chain attacks.

Operational security, endpoint hardening, and key management failures
~13%
Current state

Only ~13% demonstrate mature operational security practices. The standard observed is unmanaged devices, which co-mingle personal attack surfaces with protocol development or signing environments. Developers often have broad-reaching, unchecked access to the entire development and production infrastructure pipeline. Beyond this, the ability to move funds or adjust key program parameters is often protected by a single key, which in some cases is even stored directly on disk.

The risk

Exploitation of a contributor endpoint can lead to compromised deployer keys, admin credentials, cloud access, CI/CD privileges, or access to signing workflows, enabling tampering with deployments, frontends, dependencies, or operational infrastructure. Because many environments lack endpoint hardening, access segmentation, and robust key management, a single compromised device may enable lateral movement across development, production, and signing systems. When critical protocol actions are protected by single keys or keys stored on disk, this can lead to unauthorized upgrades, parameter manipulation, fund transfers, service disruptions, or a complete protocol takeover.

Vulnerabilities in supply chain and release processes
~13%
Current state

Only ~13% use verifiable builds throughout their development and production pipelines, or take measures to prevent resource manipulation along the way. The lack of provenance goes beyond dependencies to artifacts constructed and utilized throughout development and operational environments. There are also frequent opportunities for a single actor to bypass intended security constraints.

The risk

A compromised dependency during the build process can infect the protocol's core binaries before they are even deployed. The ability for a threat actor to utilize compromised credentials to not only push malicious code into a main branch, but also to circumvent controls put in place to prevent this by virtue of broad administrative access can lead to end-to-end compromise. Where strong controls exist to protect the development pipeline, a lack of provenance for builds and enforcement when using artifacts in production might lead to the direct injection of malicious code.

Minimal circuit breakers and emergency response functions
~17%
Current state

Only ~17% of protocols include advanced IR capabilities that plan for unexpected outcomes, despite the overall lack of known exploitable bugs. There is frequently a lack of both on-chain and off-chain circuit breaker implementations with diverse coverage to include invariant violation. The built-in capability to respond to security events in an isolated manner is also rare, with most implementations relying on a single-protocol kill switch that is manually activated.

The risk

Traditional code review looks for the capability to exploit a protocol for its funds, which provides a good layer of security. However, you should also design your program so that if that security fails, protective actions come into play. Assuming that an impossible outcome cannot happen while failing to create a response function for when it does leaves you defenseless when an attacker achieves the unthinkable. While establishing a comprehensive set of protective scenarios is essential, failure to isolate these defenses to specific functions or capital pools can exacerbate the fallout from an exploit. A truly resilient response relies on the ability to compartmentalize risk and integrate multiple defensive factors to limit the overall impact on users.

Early signals

Protocols routinely overrate their own security posture

A consistent pattern we observed was a meaningful gap between self-reported scores and what independent review surfaces. Controls marked complete often had partial coverage or workarounds that only emerged under scrutiny.

This is not a criticism of the teams, but highlights what STRIDE was designed to find. Nobody can see their own blind spots, and the gap between what a team believes and what review confirms is one of the most useful signals we get.

This could be due to a variety of factors.

  • Resource-constrained teams. People often cover multiple roles without being an expert in each. Teams may lack the staffing to properly address security in depth across all disciplines.
  • Lack of institutional security backgrounds. Teams without prior exposure to enterprise security, regulated infrastructure, or formal audit and compliance environments may not have seen what good defense-in-depth looks like.
  • Audit culture. Many teams have been conditioned to treat smart contract audits as the main security milestone, creating a false sense of security upon completion.
  • Trust over formal security. Security is often entrusted to individuals rather than built into systems, without accounting for the moment when that trust is compromised.

Pressure to ship outweighs security

Many teams are under constant pressure to launch, grow their user base, attract liquidity, and keep up with the pace of web3. When time and money are limited, the work that helps prevent future problems can lose out to the work that gets a product live today.

Security may also not be the team's main specialty, or something they can afford to staff deeply. So teams often make practical trade-offs to keep moving, even when that means some risks are not yet fully understood or addressed. This is usually not carelessness; it is the reality of small teams trying to build serious infrastructure under startup-level constraints.

What is next

STRIDE is only 12 weeks old. Here is what comes next.

  • A larger dataset. More assessments mean more signal. Patterns that are directional now will become statistically robust as the number of participating protocols grows.
  • Framework refinement. Real assessment data is already informing how we run the process and weight controls. Expect the framework to keep evolving based on what we find in practice.
  • A rising bar. As more protocols participate, STRIDE increasingly becomes a reference point. Every assessment makes our overall ecosystem better.

A stronger Solana

We understand the constraints: security takes both time and money that could otherwise go toward shipping features or bootstrapping liquidity. A prevented attack leaves no trace, so its value is almost impossible to feel until the day a successful one makes it impossible to ignore. These are real pressures, and they are why security depth so often loses to the demands of right now.

Every team in STRIDE chose to rise to the challenge, and that takes a kind of nerve the whole ecosystem should respect.

Knowing exactly where we stand lets us set a north star for where Solana security needs to go next. The ecosystem has never been short on ambition or stamina; we move fast and stick with hard problems until they are solved. Raising the water level for everyone has always been core to our ethos, and that is what STRIDE is here to do: strengthen the ecosystem and protect what we have collectively worked so hard to build.

Every STRIDE assessment helps us build a more secure Solana.

Request an assessment