Avg attacker reconnaissance time for peer-class protocols

Sanctum's assessment for RD-F-163 — scored yellow on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

Peer-class reconnaissance time for similar Solana DeFi protocols: Drift Protocol (April 2026, $285M, DPRK, same Solana DeFi class) involved 3–6 months of social engineering reconnaissance before the April 1 strike (CVT fake token deployed March 12, 2026 — ~20 days on-chain staging; social engineering over months). Bybit (February 2025, $1.5B, Lazarus) involved multi-week reconnaissance of the Safe{Wallet} developer environment. USPD baseline (T-09 §4.9): average 78-day reconnaissance window across sample. For high-TVL Solana DeFi protocols with visible teams, Drift-class recon (multi-month social engineering targeting team members and multisig signers) is the dominant threat model. Sanctum's profile — high-recognition brand ($1.37B TVL), partially doxxed founders (FP Lee, Jesse Cho, Jaye Tan), external multisig signers from reputable Solana entities — places it in the primary reconnaissance target class for DPRK actors. v1 deferred analytical signal.

Sources #

URL
Drift Protocol Incident — BlockSec analysisBlockSec — Drift Protocol durable nonce exploitation timeline; CVT deployed March 12, 2026 (~20 days pre-strike)retrieved 2026-05-04
URL
Drift Protocol Hack: How Privileged Access Led to a $285M LossChainalysis — Drift hack: months of team relationship-building before April 1 exploitretrieved 2026-05-04

Methodology #

Report the average number of days of attacker reconnaissance activity before a strike on peer-class protocols (lending/DEX/bridge/perps), sourced from the hack database.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol sanctum factor RD-F-163 score yellow collected_at 2026-05-04 18:49:23