Avg attacker reconnaissance time for peer-class protocols

Save (formerly Solend)'s assessment for RD-F-163 — scored yellow on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

Attacker wallet reconnaissance time before strike. Applicable. Two confirmed attack attempts against Solend with distinct patterns: (1) Aug 2021 auth-bypass: direct exploit with no published reconnaissance window — team detected and stopped same day; (2) Nov 2022 oracle manipulation: two-phase attack in a single night (probe attempt 12:15 AM UTC manipulating USDH to $8.80, exploit at 2:16 AM UTC pumping to ~$15 and draining ~$400K from isolated pools) — a short same-night probe-then-exploit reconnaissance pattern. The USPD 78-day pre-strike reconnaissance window applies to the broader Solana/DeFi attack class. For peer-class Solana lending protocols, the Drift Protocol DPRK attack (Apr 2026) involved 6-month social engineering with real-capital deposits. Solend's documented reconnaissance windows are short (same-night) but the protocol is a confirmed recurring target. Current posture: no reconnaissance activity detected in available public data (requires licensed TI feed for real-time

Sources #

URL
Immunebytes — Solend Nov 2022 exploit timelineNov 2022 oracle attack: two-phase same-night probe (12:15 AM) then exploit (2:16 AM) — short reconnaissance windowretrieved 2026-05-17
URL
Quadriga Initiative — Solend Aug 2021 insecure authentication check case studyAug 2021 auth-bypass: immediate exploit on first attempt — no pre-published reconnaissance windowretrieved 2026-05-17

Methodology #

Report the average number of days of attacker reconnaissance activity before a strike on peer-class protocols (lending/DEX/bridge/perps), sourced from the hack database.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol save factor RD-F-163 score yellow collected_at 2026-05-17 15:20:15