The Step Finance Treasury Hack: $30 Million in Solana Lost
By [Your Name] – Security Research Team
Introduction
On January 31, 2026, Step Finance, a prominent DeFi protocol on Solana, suffered a devastating attack on its treasury wallets. Attackers stole 261,854 SOL (approximately $30 million at the time). This incident highlights the risks of executive device compromise and the importance of treasury security.
The Attack Vector
Investigators determined that the private keys to Step Finance’s treasury wallets were exposed via compromised devices belonging to key executives. The exact infection method—spear phishing, malware, or physical access—has not been disclosed, but it underscores the human element in security.
What Was Stolen vs. Recovered
| Asset | Amount Stolen | Recovered |
|---|---|---|
| SOL | 261,854 SOL | ~$4.7M (partial recovery) |
The recovery of ~$4.7M was achieved through rapid coordination with exchanges and blockchain forensics firms. The remaining funds remain at large.
On-Chain Movement
After the attack, the stolen SOL was unstaked and transferred to several unknown addresses. Blockchain analysts at CertiK have traced some of the funds, but most remain unmoved as of this writing.
Lessons for Project Treasuries
- Executive device security: Use dedicated, air-gapped machines for treasury operations.
- Multi-signature requirements: Require at least 3-of-5 approvals for any large transfer.
- Time-locks: Implement delays on withdrawals to allow intervention.
Research Implications
This case is a valuable study for understanding how project-level thefts differ from individual wallet hacks. Researchers can monitor the known attacker addresses on Solscan to analyze laundering techniques.
Note: All addresses involved are public. Always use blockchain explorers for research—never engage with suspicious sources.
