OPN Intel
LIVE
BTC$76,620MAYER0.95×200W1.25×PI-CYCLE38%DRAWDOWN-39%PUELL0.81×W-RSI45BMSB0.97×
AS OF 2026-05-24
Intel· Apr 6, 2026· 3 min read

Solana's Post-Drift Security Program Wouldn't Have Stopped Drift

On April 6, the Solana Foundation and Asymmetric Research launched STRIDE — a tiered security program offering 24/7 threat monitoring for protocols above $10M TVL, formal verification for protocols above $100M, and a new Solana Incident Response Network of five security firms. The program is a genuine improvement to the ecosystem's security posture. It also would not have caught the Drift attack, which bypassed code entirely and ran through governance and social engineering of human signers.

Key takeaways

  1. STRIDE (Solana Trust, Resilience and Infrastructure for DeFi Enterprises) launched April 6, 2026. All Solana DeFi protocols are eligible to apply. Protocols above $10M TVL that pass evaluation receive foundation-funded 24/7 operational security monitoring. Protocols above $100M TVL receive formal verification — mathematical proofs checking every possible smart contract execution path
  2. The Solana Incident Response Network (SIRN) unites five founding security firms including OtterSec and Neodyme for real-time crisis coordination. The network is designed to mobilize faster than any individual protocol's security team could during an active exploit
  3. The Drift attack was not a smart contract exploit. It began on March 11, 21 days before execution. The attacker social-engineered two of Drift's five Security Council multisig signers into pre-approving durable nonce transactions they did not understand. The zero-timelock Security Council migration on March 27 eliminated the detection window. Code monitoring would not have flagged any of this — the pre-signed transactions were cryptographically valid admin actions
  4. Solana Foundation President Lily Liu acknowledged the nature of the shift after the exploit: smart contracts held up, the real targets now are humans — social engineering and operational security weaknesses more than code exploits. Ledger CTO Charles Guillemet linked the Drift method directly to the 2025 Bybit hack, attributing both to DPRK-linked actors
  5. TRM Labs published preliminary findings attributing the Drift attack to North Korean hackers. On-chain staging began at 12:00 AM GMT on March 12 — 9:00 AM Pyongyang time — consistent with prior DPRK operational patterns. The attack mirrors the Bybit playbook: patient preparation, social engineering of signers, pre-staged execution, rapid fund movement across chains

What Happened

On April 6, six days after the Drift Protocol hack, the Solana Foundation and Asymmetric Research launched STRIDE — a tiered DeFi security program built around public protocol evaluations, continuous threat monitoring, and a new incident response network. Every Solana DeFi protocol is eligible to apply. Protocols holding more than $10 million in total value locked that pass the STRIDE evaluation receive foundation-funded 24/7 monitoring. Protocols above $100 million TVL receive formal verification. The Solana Incident Response Network, or SIRN, brings five founding security firms — including OtterSec and Neodyme — into a coordinated crisis response framework.

The timing is not coincidental. Drift Protocol lost $285 million on April 1, making it the largest DeFi hack of 2026 and the second-largest in Solana's history. STRIDE was in development before the Drift incident, but Drift accelerated the announcement. The Solana Foundation described the program as deepening a commitment to ecosystem security that has been underway for years. The more pointed question the program raises: would any of it have stopped what happened to Drift?

What STRIDE Does and Does Not Cover

Formal verification, the most rigorous component of STRIDE, uses mathematical proofs to check every possible execution path in a smart contract. It can eliminate entire classes of vulnerabilities that standard audits miss — reentrancy bugs, integer overflows, logic errors in edge cases. It is genuinely valuable. Trail of Bits audited Drift's smart contracts in 2022. ClawSecure audited them in February 2026. Both gave passing grades. The contracts were not the problem.

The Drift attack began with social engineering, not a code vulnerability. The attacker spent three weeks building legitimacy for a fake token and simultaneously convincing two of Drift's five Security Council multisig signers to pre-approve durable nonce transactions — a Solana feature that lets signed transactions execute at a future time without expiring. The signers did not understand what they were approving. The transactions were cryptographically valid. On March 27, Drift migrated its Security Council to a new 2-of-5 threshold with zero timelock, eliminating the delay that could have created a detection window. From a code monitoring perspective, nothing was wrong until $285 million had already left.

DPRK Attribution and the Bigger Pattern

TRM Labs published preliminary findings attributing the Drift attack to North Korean hackers. On-chain staging began at 12:00 AM GMT on March 12 — 9:00 AM Pyongyang time — and funded the deployment of CarbonVote Token, the fake collateral asset used in the exploit. Blockchain analytics firm Elliptic also noted on-chain behavior consistent with prior DPRK-linked operations. Ledger CTO Charles Guillemet linked the Drift method directly to the 2025 Bybit hack that cost $1.5 billion, attributing both to the same group and describing the Drift attack as the same playbook at a different target.

The DPRK pattern across both operations is the same: patient long-term preparation measured in weeks, social engineering of human signers rather than exploitation of code, pre-staged execution using valid governance mechanisms, and rapid cross-chain fund movement within hours of the drain. No smart contract monitoring catches patient social engineering three weeks before execution. No code audit flags a signer who was deceived into approving a legitimate-looking admin transaction.

What This Means for You

STRIDE is a genuine improvement to the Solana DeFi ecosystem's security posture. More formal verification, faster incident response, and continuous monitoring for high-TVL protocols are better than the previous state. The Drift attack does not invalidate those improvements — it just illustrates that the attack surface STRIDE is designed for and the attack surface DPRK is operating on are different surfaces.

For anyone holding assets in DeFi protocols on any chain: the meaningful question after Drift is not whether the code was audited. It is who controls the admin keys, what governance process they operate under, whether timelocks exist on critical parameter changes, and how signers are trained to scrutinize what they are approving. Drift had audited code. It had a multisig. It lacked timelocks and signer verification discipline. The next exploit that follows this pattern will also have audited code.

What to Watch

Watch whether STRIDE evolves to include governance and operational security evaluations alongside code review — specifically, whether it assesses multisig configurations, timelock requirements, and signer training as part of its protocol evaluation framework. The technical fix is known and well-documented: mandatory timelocks on all governance actions, independent transaction verification tooling for multisig signers, and reduced admin key surface area. The question is whether the incident creates enough institutional pressure to make those requirements standard across the ecosystem.

STRIDE monitors code. The Drift attack ran through humans.

Sources

  1. [1]Solana Foundation — STRIDE launch announcement, @SolanaFndn, April 6, 2026
  2. [2]Bitcoin News / Defi Bitcoin News — 'Solana Foundation Launches STRIDE Security Program for DeFi Protocols Following Drift Incident', April 6, 2026
  3. [3]CryptoBriefing — 'Solana Foundation Launches STRIDE and SIRN DeFi Security Programs', April 6, 2026
  4. [4]TRM Labs — 'North Korean Hackers Attack Drift Protocol in USD 285 Million Heist', April 2, 2026
  5. [5]CoinDesk — 'Here Is How Drift Attackers Drained More Than $270 Million Using a Solana Feature Designed for Convenience', April 2, 2026
  6. [6]Elliptic — preliminary on-chain analysis citing DPRK-consistent behavior patterns, April 2, 2026

More in Intel

Trump Executive Order Moves Federal PQC Deadline to 2031Islamabad Declaration Trades Iran's Bitcoin Toll for Sanctions ReliefProject Eleven's 15-Bit Quantum Bounty, Reproduced in 20 Python Lines