The Step Finance hack wasn't a smart contract exploit. No reentrancy. No oracle manipulation. No flash loan attack. An attacker compromised the personal devices of executive team members, drained the treasury, and within weeks the entire platform — along with two affiliated projects — was dead.
This is a deep dive into what happened, why it matters, and the operational security practices that could have prevented it.
The Timeline
Late January 2026: Attackers gain access to devices belonging to Step Finance executives. Through these compromised endpoints, they reach the treasury and fee wallets.
January 31, 2026: 261,854 SOL (~$27-30M at the time) is unstaked and moved. Additional assets bring total losses to approximately $40 million.
Early February 2026: The team recovers ~$4.7M through partnerships and Solana's Token22 freeze capabilities. The STEP token crashes 97%.
February 24, 2026: Step Finance announces the shutdown of all operations — Step Finance, SolanaFloor, and Remora Markets — after failing to secure financing or acquisition deals.
The Attack Vector: Executive Device Compromise
This wasn't a protocol-level vulnerability. It was an operational failure. The attackers targeted the weakest link in the security chain: the humans with privileged access.
How Executive Device Compromise Typically Works
While Step Finance hasn't disclosed the exact attack chain, executive device compromise in crypto follows well-established patterns:
1. Spear Phishing
Targeted emails or messages crafted for specific executives. In crypto, these often impersonate investors, auditors, or partner protocols. A common variant: a fake "audit report PDF" that installs a RAT (Remote Access Trojan).
2. Supply Chain Attacks on Development Tools
Compromised npm packages, VS Code extensions, or browser extensions that exfiltrate credentials. The 2024 Ledger Connect Kit attack used this exact vector.
3. Social Engineering via Telegram/Discord
Fake job offers, partnership proposals, or "urgent security disclosures" that lead to malware downloads. The Lazarus Group (attributed to the $1.5B Bybit hack) uses this approach extensively.
4. Physical Device Access
If executives travel frequently or use shared workspaces, physical access to unlocked devices can be enough.
Why This Attack Succeeded
The core failure: treasury access was tied to devices that executives used for everyday activities. This violates a fundamental principle of crypto security: the signing environment should be air-gapped from the general computing environment.
┌─────────────────────────────────────────────┐
│ WHAT HAPPENED AT STEP FINANCE │
│ │
│ Executive Laptop (Email, Browser, Slack) │
│ ↕ (same device) │
│ Treasury Access (Private Keys / Signing) │
│ ↕ (compromised) │
│ $40M drained │
└─────────────────────────────────────────────┘
┌─────────────────────────────────────────────┐
│ WHAT SHOULD HAVE EXISTED │
│ │
│ Executive Laptop (Email, Browser, Slack) │
│ ✕ (air gap) │
│ Dedicated Signing Device (Hardware Wallet) │
│ ↕ (multi-sig threshold) │
│ Treasury requires N-of-M signatures │
│ from isolated, dedicated devices │
└─────────────────────────────────────────────┘
The Multisig Question
Here's the uncomfortable truth: most Solana DeFi protocols do not use proper multisig for their treasuries.
On Ethereum, Gnosis Safe (now Safe{Wallet}) provides battle-tested multisig infrastructure. On Solana, the options are more fragmented:
- Squads Protocol — The leading multisig solution on Solana, but adoption is still growing
- SPL Governance — Designed for DAO governance, more complex to set up
- Custom Program Derived Addresses (PDAs) — Some protocols roll their own, introducing additional risk
The Solana Multisig Gap
Unlike Ethereum where a 3-of-5 Gnosis Safe is basically table stakes for any serious protocol, Solana's multisig ecosystem is less mature. Many protocols still operate with:
- Single authority keys stored in hot wallets
- 1-of-1 "multisig" configurations (effectively a single point of failure)
- Upgrade authority keys on connected devices
This is a systemic risk in the Solana ecosystem that doesn't get enough attention.
What Token22's Freeze Authority Recovered
One bright spot: Step Finance recovered ~$4.7M thanks to Solana's Token Extensions (Token22) program. Token22 includes a freeze authority feature that allows token issuers to freeze tokens in any account.
For protocols using Token22-based tokens, this provides a post-hack recovery mechanism:
// Token22 freeze authority can freeze stolen tokens
// This is a double-edged sword: censorship resistance vs. recovery capability
spl_token_2022::instruction::freeze_account(
&spl_token_2022::id(),
&stolen_account,
&mint,
&freeze_authority,
&[],
)?;
However, this only works for Token22-native assets. The majority of the stolen SOL — a native token — couldn't be frozen this way.
The Broader Pattern: Off-Chain Attacks on DeFi
Step Finance joins a growing list of protocols killed not by code vulnerabilities but by operational failures:
| Incident | Year | Loss | Attack Vector |
|---|---|---|---|
| Ronin Network | 2022 | $615M | Compromised validator keys via fake job offer |
| Bybit | 2025 | $1.5B | Supply chain attack on Safe{Wallet} infrastructure |
| Step Finance | 2026 | $40M | Executive device compromise |
| Harmony Bridge | 2022 | $100M | Compromised 2-of-5 multisig keys |
The pattern is clear: as smart contract security improves, attackers shift to off-chain vectors. The code can be perfect, but if the humans controlling the keys are compromised, it doesn't matter.
The Operational Security Checklist Every Protocol Needs
Based on the Step Finance incident and similar attacks, here's a practical OpSec framework for DeFi protocols:
1. Key Management Architecture
TIER 1: Protocol Upgrade Authority
→ Hardware wallet (Ledger/Trezor)
→ Stored in physical safe
→ N-of-M multisig (minimum 3-of-5)
→ Keys distributed across geographic locations
→ Annual key rotation ceremony
TIER 2: Treasury / Fee Wallets
→ Separate hardware wallets per signer
→ Dedicated signing devices (NOT daily-use laptops)
→ Time-locked transactions (24-48h delay)
→ Maximum single-transaction limits
TIER 3: Operational Wallets
→ Hot wallets with minimal balances
→ Automated top-up from Tier 2
→ Rate limiting on outbound transfers
→ Monitoring and alerting
2. Device Security for Key Holders
- Dedicated signing devices: A separate laptop or tablet used ONLY for transaction signing. No email. No browser. No Telegram.
- Full disk encryption with hardware-backed keys
- Mobile Device Management (MDM) if using company devices
- Regular device audits — check for unauthorized software
- Mandatory security training focused on social engineering
3. Transaction Monitoring and Circuit Breakers
# Example: Simple treasury monitoring with alerting
TREASURY_THRESHOLD = 100_000 # SOL
async def monitor_treasury(connection, treasury_pubkey):
balance = await connection.get_balance(treasury_pubkey)
previous = load_previous_balance()
change = previous - balance
if change > TREASURY_THRESHOLD:
# Emergency: large outflow detected
await alert_all_signers("EMERGENCY: Large treasury outflow detected")
await trigger_freeze_authority() # If Token22
await pause_protocol() # If pausable
save_balance(balance)
4. Incident Response Plan
Every protocol should have a written, rehearsed incident response plan:
- Detection — Automated monitoring catches unusual activity
- Containment — Freeze what can be frozen, pause what can be paused
- Communication — Coordinated disclosure to users (NOT Twitter first)
- Investigation — Engage a forensics firm (Chainalysis, TRM Labs, etc.)
- Recovery — Work with exchanges and law enforcement
- Post-mortem — Public disclosure of what happened and what changed
5. The "Bus Factor" Problem
Step Finance's shutdown raises another question: what happens when key personnel are compromised or unavailable?
Protocols should implement:
- Dead man's switch: If no multisig activity in X days, trigger emergency governance
- Emergency governance: A fallback mechanism for the community to take control
- Succession planning: Documented procedures for key rotation if a signer is compromised
Lessons for Auditors
If you're auditing Solana (or EVM) protocols, smart contract review is necessary but not sufficient. A complete security assessment should include:
- Key management review: How are authority keys stored? Who has access?
- Multisig configuration: What's the threshold? Are signers distributed?
- Upgrade authority: Can the protocol be upgraded? Who controls it?
- Operational procedures: Are there documented processes for treasury management?
- Incident response: Does the team have a plan for when (not if) something goes wrong?
Many audit firms now offer "operational security reviews" alongside code audits. If your protocol hasn't had one, the Step Finance collapse is your wake-up call.
Conclusion
The Step Finance hack cost $40 million and killed three platforms. Not because of a Solana program bug. Not because of a DeFi exploit. Because executives had treasury access on the same devices they used for email and messaging.
In 2026, the smartest attackers aren't reading your Rust code looking for integer overflows. They're sending your CTO a fake partnership proposal on Telegram with a malicious PDF attached.
The code is the easy part. The hard part is everything around it.
DreamWork Security researches smart contract and operational security in the Solana and EVM ecosystems. Follow for deep dives into real-world security incidents and practical defense strategies.
Tags: solana, defi, security, web3, smart-contracts, operational-security, hack-analysis, cryptocurrency
Top comments (0)