Known-threat-actor cluster has touched protocol

Save (formerly Solend)'s assessment for RD-F-158 — scored gray on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

Known-threat-actor wallet cluster interaction. T-09 v1 shortlist — phase-2. Applicable: Solend has two confirmed prior attack attempts (Aug 2021, Nov 2022) making it a documented target. The attacker wallets from those incidents would be in a properly-maintained TI cluster list. No active known-threat-actor wallet interaction reported by any public attribution source (Chainalysis, Arkham, Nansen) against Save/Solend contracts as of 2026-05-17. Requires licensed Solana TI feed + curated threat-actor cluster list. Program address filter: So1endDq2YkqhipRh3WViPa8hdiSpxWy6z3Z6tMCpAo.

Sources #

URL
SLND-INCDT-01 HackMD report — Aug 2021 auth-bypass exploitAug 2021 exploit — attacker wallet interacted with UpdateReserveConfig on Solend program; no public address label foundretrieved 2026-05-17
URL
The Block — Solend oracle attack Nov 2022Nov 2022 oracle attack — attacker wallets spent $113K USDC on first pump attempt; no public Chainalysis cluster label foundretrieved 2026-05-17

Methodology #

Detect whether an address from the curator-maintained threat-actor cluster (past exploiters, labeled attacker families) interacted with this protocol in the last 30 days.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol save factor RD-F-158 score gray collected_at 2026-05-17 15:20:15