In a stark reminder that Decentralized Finance (DeFi) security extends far beyond smart contract audits, Step Finance a leading portfolio tracker on the Solana network suffered a catastrophic treasury breach on January 31, 2026. The incident resulted in the loss of approximately $40 million in assets. While the industry had hoped for a more secure landscape following the trends identified in the crypto hacks 2025 report, this incident proves that “operational security failure” remains a critical threat vector, specifically through the compromise of executive-level devices.
Breach Analysis: The Root Cause
On February 2, 2026, the Step Finance team confirmed that the breach was not a result of an exploit in their protocol’s code. Instead, the attacker gained unauthorized access to the private keys of the treasury wallets through the compromise of executive team devices.
By obtaining these keys, the attacker bypassed all programmatic security measures, effectively acting as a legitimate administrator to drain 261,932.4 SOL from a staked position, alongside other treasury assets.
Statement on Recent Security Incident
In the early afternoon hours of 31 January (APAC), approximately $40M was drained from the Step Finance treasury. This was a result of our executive team’s devices being compromised.
Immediately after detecting the breach, we began working…
— Step☀️ (@StepFinance_) February 2, 2026
Detailed Timeline of Events
On-chain forensics reveal that the attacker did not act on impulse. This was a methodical operation planned and executed over several days.
| Timestamp (UTC) | Event | On-Chain Evidence |
| Jan 28, 2026 | Attacker wallet (LEP1uH…) created and funded with 0.2 SOL directly from the compromised Step wallet. | Preliminary key compromise confirmed. |
| Jan 28, 2026 | Initial unstaking operation initiated on the primary stake account. | Preparation for withdrawal. |
| Jan 31, 03:55:16 | Critical Attack Transaction: Stake authority transferred from Step Finance to the attacker. | Tx: 2w8sgATZ… |
| Jan 31, 2026 | 261,932.4 SOL withdrawn and moved to the attacker’s primary wallet. | Direct treasury drain. |
| Feb 2, 23:13 | Step Finance releases a full statement confirming executive device compromise. | Official Post-Mortem. |
Technical Breakdown: The Mechanism of the Attack
The attacker utilized the legitimate Solana Stake Program instructions to carry out the theft. Because the attacker possessed the private keys of the authority wallet (3KNZ9i…XACaRs), the network recognized the commands as valid.
Two Critical Instructions were executed:
- Set Staker Authority: This changed the entity allowed to deactivate or “unstake” the SOL from Step Finance to the attacker’s wallet (LEP1uH…o6SdNu).
- Set Withdrawer Authority: This changed the entity allowed to claim the SOL once the deactivation period ended.
Transaction Signature: 2w8sgATZwcmRMHEsG3nutmZJrskVkp74LAwTTEyxSMBJhnZ7Ux4ticeYAYnTb6K44m1XYziPvqonSkZeukAAFadZ
Fund Flow Analysis
| Stage | Wallet Name | Wallet Address | Date | Amount (SOL) | Description |
|---|---|---|---|---|---|
| 1 | Step Finance Treasury | 3KNZ9i1dLNNqpBTKEkTgUQs6TNCd3bzuy6HwfoXACaRs |
Jan 28 | 0.2 | Gas Fees |
| 2 | Step Finance Treasury | 3KNZ9i1dLNNqpBTKEkTgUQs6TNCd3bzuy6HwfoXACaRs |
Jan 31 | 261,932.4 | Main Exploit |
| 3 | Attacker Wallet 1 | LEP1uHXcWbFEPwQgkeFzdhW2ykgZY6e9Dz8Yro6SdNu |
Jan 31 | 261,932.61 | Full Consolidation |
| 4 | Attacker Wallet 2 | 7raxiejD8hDUH1wyYWFDPrEuHiLUjJ4RiZi2z1u2udNh |
Current | 261,932.62 | Secondary Holding Wallet |
Key On-Chain Data Points
| Account Type | Address | Current Status |
| Compromised Stake Account | 6G53KAWtQnZSSN6HUxnBs3yYsK1aCuJRbrcPbWGY71LL | Balance: 0 SOL |
| Original Step Wallet | 3KNZ9i1dLNNqpBTKEkTgUQs6TNCd3bzuy6HwfoXACaRs | Authority Revoked |
| Attacker Address (Main) | LEP1uHXcWbFEPwQgkeFzdhW2ykgZY6e9Dz8Yro6SdNu | Labeled “Exploiter” |
| Current Fund Location | 7raxiejD8hDUH1wyYWFDPrEuHiLUjJ4RiZi2z1u2udNh | Actively Monitored |
Financial Impact and Recovery Efforts
While the direct SOL loss is valued between $28.9M and $30M, Step Finance confirmed the total treasury impact reached $40 million. This breach stands as one of the largest single-protocol losses in recent weeks, significantly inflating the total figures recorded in the Crypto Hacks and Scams January 2026 digest.
Despite the magnitude of the loss, approximately $4.7 million has been successfully secured:
- $3.7M in Remora assets: Recovered via security features inherent in the Token22 standard.
- $1M in other positions: Recovered through swift protocol-level interventions.
Security Failures and Lessons Learned
This incident highlights critical vulnerabilities in operational security (OpSec) that are often overlooked in favor of code audits.
- Inadequate Key Management: Storing high-value treasury keys on devices used for daily executive operations is a high-risk practice. These keys should ideally be housed in air-gapped hardware wallets.
- Absence of Multi-Sig Protection: The ability for a single compromised wallet to change both Staker and Withdrawer authority indicates a lack of multi-signature (Multi-Sig) requirements for major treasury movements.
- Monitoring Gaps: The attacker funded their wallet using Step’s own treasury three days prior to the main event. A real-time alerting system for unusual treasury outflows could have provided an early warning.
Current Status and User Notice
Step Finance is currently working with leading cybersecurity firms and law enforcement to track the stolen funds.
- For Token Holders: Users are advised not to engage with the STEP token until the investigation is complete. A snapshot taken prior to the exploit will likely serve as the basis for any future remediation or token migration.
- Remora Markets: The platform has confirmed that rTokens remain backed 1:1 with custodial collateral and were largely protected by the Token22 security layer.
Conclusion
The Step Finance breach serves as a definitive case study in the importance of “Defense in Depth.” While the Solana blockchain and the Step Finance smart contracts functioned exactly as intended, the human element specifically endpoint security remained a single point of failure. For the DeFi industry to mature, protocols must treat executive devices as a primary attack surface and implement enterprise-grade security controls, such as Multi-Sig treasuries and time-locked authority changes.
