On January 31, 2026, Step Finance — a Solana DeFi analytics and yield aggregation platform — lost approximately $40 million when attackers compromised executive team devices and drained the protocol's treasury wallets. No smart contract bug was exploited. No flash loan was used. The attacker simply had the keys.
By February 23, Step Finance, SolanaFloor, and Remora Markets announced they were shutting down permanently. A 90% token crash. $4.7M recovered out of $40M. Three projects dead.
This wasn't a code vulnerability. It was an operational security (OpSec) failure — and it's becoming the dominant attack vector in 2026.
What Actually Happened
The attack chain was devastatingly simple:
- Endpoint compromise — Attacker gained access to devices belonging to Step Finance executives
- Key extraction — With device access, the attacker obtained private keys or signing capabilities for treasury and fee wallets
- Fund drainage — 261,854 SOL was unstaked and moved out, along with other digital assets
- Laundering — Stolen funds were rapidly dispersed across multiple wallets
The entire attack bypassed every smart contract security measure. The contracts worked exactly as designed — they just obeyed whoever held the keys.
Why This Matters More Than Another Flash Loan Exploit
February 2026 saw an 87% drop in total crypto losses compared to January, falling to ~$49.3M. But the composition of attacks shifted dramatically:
| Attack Vector | Old Dominance | 2026 Trend |
|---|---|---|
| Smart contract bugs | High | Declining |
| Private key compromise | Low | Rapidly rising |
| Phishing/social engineering | Medium | Dominant |
| Oracle manipulation | Medium | Stable |
Step Finance alone accounted for ~80% of February's total losses — all from compromised hardware. The message is clear: auditing your Rust or Solidity code isn't enough if your CEO's laptop is the weakest link.
The Anatomy of Executive Device Compromise
How do attackers get into executive devices? Based on incident patterns across 2025-2026:
1. Targeted Spear Phishing
Executives receive tailored emails — fake audit reports, partnership proposals, or "urgent" Notion/Google Docs links — that deploy malware or credential stealers.
2. Supply Chain Attacks on Dev Tools
Malicious npm/cargo/pip packages target DeFi developers and team members. A single npm install of a compromised package can install a keylogger or clipboard hijacker.
3. Browser Extension Exploitation
Many team members use browser-based wallets alongside work tools. A compromised browser extension can exfiltrate wallet data, session tokens, or inject malicious transactions.
4. Social Engineering via Telegram/Discord
Attackers impersonate team members, investors, or ecosystem partners to trick executives into running "debug scripts" or connecting wallets to phishing sites.
5. Physical Access and Travel Attacks
At conferences and meetups, "evil maid" attacks on unattended laptops or rogue USB devices remain effective.
The Step Finance Kill Chain: A Technical Reconstruction
[Phase 1: Reconnaissance]
├── Identify Step Finance executive team (LinkedIn, Twitter, on-chain activity)
├── Map wallet addresses linked to protocol operations
└── Determine which wallets control treasury + fee collection
[Phase 2: Initial Access]
├── Deliver malware to executive device(s)
│ ├── Spear phishing with malicious attachment
│ ├── Compromised dependency in build pipeline
│ └── Malicious browser extension or update
└── Establish persistent access
[Phase 3: Key Extraction]
├── Monitor clipboard for private keys/seed phrases
├── Extract wallet files from filesystem
├── Capture hardware wallet PIN via keylogger
└── Intercept transaction signing sessions
[Phase 4: Execution]
├── Unstake 261,854 SOL from staking contracts
├── Transfer treasury assets to attacker wallets
├── Drain fee collection wallets
└── Disperse funds across mixing infrastructure
[Phase 5: Aftermath]
├── STEP token crashes 90%+ in 24 hours
├── Only $4.7M recovered via ecosystem collaboration
└── Protocol announces permanent shutdown
What Step Finance Should Have Done: The OpSec Hardening Checklist
Treasury Architecture
Rule 1: Never let a single device control treasury access.
BAD: CEO laptop → Hot wallet → Treasury (single point of failure)
GOOD: 3-of-5 multisig → Hardware wallets (dedicated) → Timelock → Treasury
├── Signer 1: CTO (Ledger, dedicated device, Location A)
├── Signer 2: CFO (Trezor, dedicated device, Location B)
├── Signer 3: Security Lead (Ledger, air-gapped, Location C)
├── Signer 4: External advisor (hardware wallet, Location D)
└── Signer 5: DAO governance (on-chain vote required)
Rule 2: Implement timelocks on all treasury operations.
For any movement above a threshold (e.g., 1% of TVL), enforce a 24-48 hour timelock. This gives the team and community time to detect and respond to unauthorized transactions.
Rule 3: Use dedicated signing devices.
Every multisig signer must use a hardware wallet that:
- Was purchased directly from the manufacturer
- Has never connected to the internet outside of signing
- Is stored in a physically secure location
- Is never used for day-to-day browsing or development
Device Security for Team Members
Executive Device Hardening Checklist:
[ ] Dedicated machine for signing (no email, no browsing)
[ ] Full-disk encryption enabled (FileVault/LUKS/BitLocker)
[ ] Firmware password set
[ ] USB port restrictions (no unauthorized devices)
[ ] EDR (Endpoint Detection & Response) agent installed
[ ] Browser extensions: allowlist only (no random extensions)
[ ] 2FA on all accounts (hardware key preferred, NOT SMS)
[ ] Separate user accounts for admin vs. daily use
[ ] Automatic screen lock (< 2 minutes)
[ ] VPN for all network traffic
[ ] Regular OS and application updates (automated)
Monitoring and Circuit Breakers
Every DeFi protocol should deploy real-time monitoring that triggers alerts on:
- Treasury movements exceeding daily threshold
- Unstaking events (these often precede drains)
- New address interactions from treasury wallets
- Multiple failed multisig attempts
- Large token transfers during off-hours
Tools like Forta, OpenZeppelin Defender, or BlockSec's Phalcon can automate this monitoring. Set up PagerDuty-style alerts that wake people up at 3 AM — because that's when attackers strike.
The Nuclear Option: On-Chain Circuit Breakers
Smart contracts should include emergency pause mechanisms:
// Solana example: Guardian-triggered emergency pause
pub fn emergency_pause(ctx: Context<EmergencyPause>) -> Result<()> {
let guardian = &ctx.accounts.guardian;
let protocol_state = &mut ctx.accounts.protocol_state;
// Any guardian can pause (low threshold)
require!(
protocol_state.guardians.contains(&guardian.key()),
ErrorCode::Unauthorized
);
protocol_state.is_paused = true;
protocol_state.paused_at = Clock::get()?.unix_timestamp;
emit!(EmergencyPauseEvent {
guardian: guardian.key(),
timestamp: protocol_state.paused_at,
});
Ok(())
}
// Unpause requires multisig + timelock (high threshold)
pub fn unpause(ctx: Context<Unpause>) -> Result<()> {
let protocol_state = &mut ctx.accounts.protocol_state;
require!(
Clock::get()?.unix_timestamp - protocol_state.paused_at > UNPAUSE_TIMELOCK,
ErrorCode::TimelockNotExpired
);
// Requires multisig verification (separate instruction)
protocol_state.is_paused = false;
Ok(())
}
Key principle: It should be easy to pause (single guardian) but hard to unpause (multisig + timelock). Asymmetric security — fast defense, slow recovery.
The Broader Pattern: 2026's Biggest Losses Aren't Code Bugs
| Incident | Loss | Root Cause |
|---|---|---|
| Step Finance (Jan 2026) | $40M | Executive device compromise |
| Bybit (Feb 2026) | $1.46B | UI spoofing on multisig signing |
| Phishing campaigns (Feb 2026) | $15M+ | Address poisoning, approval phishing |
| YieldBlox DAO (Feb 2026) | $10M | Oracle misconfiguration (operational) |
Three out of four of these could have been prevented by better operational security, not better smart contracts.
The Uncomfortable Truth
The DeFi security industry has spent years perfecting smart contract audits, formal verification, and automated vulnerability detection. These are necessary — but they're increasingly insufficient.
The attack surface has shifted. Attackers now target:
- People (phishing, social engineering)
- Devices (malware, keyloggers, clipboard hijackers)
- Processes (weak multisig practices, single-signer treasuries)
- Infrastructure (DNS hijacking, frontend compromise, dependency poisoning)
A protocol can have five clean audits from top firms and still lose everything if the treasury signer's laptop gets compromised at a conference.
Actionable Takeaways
Assume your devices are compromised. Design treasury access so that no single device compromise can drain funds.
3-of-5 multisig minimum for any treasury over $1M. Geographic and organizational diversity among signers.
Dedicated hardware wallets for every signer. Never connected to development machines.
24-48 hour timelocks on treasury operations above threshold amounts.
Real-time monitoring with alerting on unstaking events, large transfers, and off-hours activity.
Quarterly security drills. Simulate a device compromise and test your response time.
On-chain circuit breakers — easy to pause, hard to unpause.
Supply chain hygiene — lock dependencies, verify checksums, audit build pipelines.
Step Finance built functional smart contracts on Solana. Their code worked fine. Their operational security killed them. Don't repeat their mistake.
This article is part of the DeFi Security Deep Dives series by DreamWork Security. Follow for weekly analysis of exploits, vulnerabilities, and security best practices across Solana, EVM, and the broader DeFi ecosystem.
Top comments (0)