On January 31, 2026, Step Finance — the self-proclaimed "front page of Solana" — lost $27.3 million in 90 minutes. Not from a flash loan. Not from a reentrancy bug. Not from an oracle manipulation.
From a compromised laptop.
Their smart contracts were audited. Their code was clean. Their bug bounty was live. And none of it mattered, because the attacker didn't need to hack the code — they just needed to phish an executive.
This isn't a post-mortem of Step Finance. It's a field manual for every DeFi team that thinks "we passed our audit" means "we're secure."
The Attack: 90 Minutes From Inbox to Insolvency
Here's the timeline, reconstructed from CertiK's on-chain analysis and Step Finance's own disclosures:
Step 1: Device Compromise
The attacker gained access to executive team devices — plural — through what Step Finance euphemistically called "a well-known attack vector." Translation: social engineering. Most likely a targeted phishing email during APAC hours, when the team's guard was down.
Step 2: Key Extraction
With device access, the attacker extracted private keys or installed transaction-signing malware. On Solana, stake authority transfer requires direct wallet permissions — no smart contract exploit needed when you are the signer.
Step 3: Stake Authority Transfer
The attacker transferred stake authorization to a fresh wallet (LEP1uHXcWbFEPwQgkeFzdhW2ykgZY6e9Dz8Yro6SdNu), then methodically unstaked 261,854 SOL from treasury and fee wallets.
Step 4: Extraction
261,932 SOL — $27.3 million — withdrawn in a single transaction. Clean, fast, irreversible.
Step 5: Discovery (Too Late)
The team detected the breach hours after it completed. Their first public acknowledgment was a tweet asking cybersecurity firms to "slide into DMs." They eventually recovered $4.7 million through Token22 protections on Remora assets.
The STEP token crashed 93%. Step Finance and its subsidiaries (SolanaFloor, Remora Markets) shut down permanently.
Why Audits Didn't Save Them
Let's be clear about what smart contract audits do and don't cover:
| What Audits Check | What Audits Don't Check |
|---|---|
| Reentrancy patterns | Who holds the private keys |
| Access control in code | Endpoint security on executive laptops |
| Integer overflow/underflow | Email phishing resilience |
| Oracle manipulation vectors | Off-hours monitoring coverage |
| Upgrade proxy safety | Multisig threshold adequacy |
| Business logic flaws | Key rotation policies |
Step Finance had every box checked on the left column. Zero coverage on the right.
This isn't an anomaly. Chainalysis data shows private key compromises drove 88% of crypto losses in Q1 2025, and the pattern accelerated into 2026. The industry's security investment is overwhelmingly concentrated on smart contract correctness while operational security — the thing actually killing projects — gets treated as an afterthought.
The OpSec Playbook: 7 Controls That Would Have Stopped This
1. Hardware-Isolated Signing (Non-Negotiable)
The failure: Executive devices with hot key access.
The fix: Treasury operations must use dedicated hardware wallets (Ledger, Trezor) on air-gapped or purpose-limited machines. The signing device should never be the same device that reads email, opens links, or runs a browser.
❌ Executive laptop → Email + Signing authority
✅ Executive laptop → Email only
Dedicated signing device → Hardware wallet + air-gapped machine
For Solana specifically, Squads Protocol provides multisig infrastructure that enforces hardware wallet signing for each participant. There's no excuse for a treasury wallet controlled by a single hot key on a general-purpose device.
2. Multisig with Geographic Distribution
The failure: Single points of failure. One compromised device = full treasury access.
The fix: All treasury operations should require M-of-N multisig, where:
- N ≥ 5 signers
- M ≥ 3 required signatures
- Signers distributed across different physical locations and time zones
- No single person controls enough keys to meet threshold
// Conceptual: Even if attacker compromises 2 signers
// They still can't move funds without a 3rd
require(validSignatures >= 3, "Insufficient approvals");
Geographic distribution matters because it defeats the "APAC hours" attack pattern — if your signers span US/EU/APAC, there's always someone awake to notice anomalous signing requests.
3. Time-Locked Withdrawals with Alert Triggers
The failure: 261,854 SOL unstaked and withdrawn with no delay or alert.
The fix: Implement time-locks on all treasury movements above a threshold:
- Tier 1 (< $10K): Instant with multisig
- Tier 2 ($10K–$100K): 6-hour time-lock with team notification
- Tier 3 (> $100K): 24-hour time-lock with mandatory confirmation from all signers
During the time-lock period, any signer can cancel the transaction. This turns a 90-minute heist into a 24-hour window where the team can intervene.
On Solana, this can be implemented through Squads v4's time-lock vaults or custom program logic with Clock::get() checks:
// Solana time-lock check
let current_time = Clock::get()?.unix_timestamp;
let unlock_time = withdrawal_request.created_at + TIMELOCK_SECONDS;
require!(current_time >= unlock_time, ErrorCode::TimelockActive);
4. Endpoint Detection and Response (EDR) on All Signing Devices
The failure: Malware/keylogger on executive devices went undetected.
The fix: Every device with any proximity to signing authority needs:
- EDR software (CrowdStrike, SentinelOne) with 24/7 SOC monitoring
- Mobile Device Management (MDM) with remote wipe capability
- Application allowlisting — only pre-approved software can execute
- Browser isolation for web3 interactions
- Mandatory disk encryption (FileVault/BitLocker)
Cost: ~$15–30/device/month. Step Finance's loss: $27.3 million.
The ROI calculation writes itself.
5. Automated On-Chain Monitoring
The failure: The breach completed hours before detection.
The fix: Deploy real-time monitoring that alerts on:
- Stake authority changes
- Unusual unstaking patterns
- Large transfers from treasury addresses
- New program deployments from upgrade authority
- Any interaction from unrecognized addresses
Tools for this:
- Forta Network — custom detection bots (we covered this in a previous article)
- Helius webhooks (Solana-specific) — real-time transaction monitoring
-
Custom scripts polling
getSignaturesForAddresson treasury accounts
A Forta bot for detecting Step Finance-style attacks:
# Simplified Forta bot logic
def handle_transaction(transaction_event):
# Detect stake authority transfers on watched accounts
for instruction in transaction_event.instructions:
if (instruction.program == STAKE_PROGRAM_ID and
instruction.type == "authorize" and
instruction.account in WATCHED_TREASURY_ACCOUNTS):
return Finding(
name="Treasury Stake Authority Changed",
severity=FindingSeverity.Critical,
alert_id="STEP-1",
description=f"Stake authority transferred to {instruction.new_authority}"
)
6. Operational Security Training (Quarterly, Mandatory)
The failure: Executives fell for a "well-known attack vector."
The fix: Quarterly security training isn't optional for DeFi teams handling millions. It should cover:
- Phishing simulation: Monthly simulated phishing campaigns targeting all team members. Anyone who clicks gets immediate remedial training.
- Approval hygiene: Never sign transactions from a link in an email/DM. Always navigate directly to the protocol dashboard.
- Device hygiene: No personal browsing on signing-adjacent devices. No installing unverified software.
- Incident response drills: Tabletop exercises simulating a treasury compromise. Who calls whom? What gets frozen first? Where's the war room?
The Step Finance team's first instinct was to tweet asking for help. That's not an incident response plan — that's a panic response.
7. Segregated Treasury Architecture
The failure: Entire treasury accessible through a single attack surface.
The fix: Never keep all assets in one place:
Treasury Architecture:
├── Hot Wallet (5% of funds)
│ └── Daily operations, automated payments
│ └── Multisig: 2-of-3, 1-hour time-lock
├── Warm Wallet (15% of funds)
│ └── Weekly rebalancing, staking rewards
│ └── Multisig: 3-of-5, 24-hour time-lock
└── Cold Vault (80% of funds)
└── Long-term holdings, emergency reserve
└── Multisig: 4-of-7, 72-hour time-lock
└── Geographic distribution required
If Step Finance had this architecture, the worst case would have been losing 5% of treasury ($1.4M) instead of everything.
The Uncomfortable Truth: Code Security ≠ Protocol Security
The DeFi industry has a collective delusion: the belief that audited code equals a secure protocol.
Here's the reality from 2025–2026 incident data:
- 88% of crypto losses came from private key compromises (Chainalysis)
- Social engineering was the #1 attack vector across all categories
- The average audit cost is $50K–$200K
- The average OpSec budget for DeFi teams: approximately $0
We've built an industry that spends hundreds of thousands on formal verification of smart contracts, then stores the admin keys on the same laptop that browses Twitter.
Step Finance is dead. Their code was fine. Their operations killed them.
Checklist: Is Your DeFi Team Step Finance-Proof?
Run through this honestly. Every "No" is a risk:
- [ ] Treasury uses hardware wallet multisig (not browser extension wallets)
- [ ] No single person can authorize transfers above $10K
- [ ] Time-locks exist on all treasury movements > $100K
- [ ] All signing devices have EDR/MDM installed
- [ ] Real-time on-chain monitoring alerts within 60 seconds of anomalous activity
- [ ] Team completes quarterly security training with phishing simulations
- [ ] Incident response plan exists, is written down, and has been drilled
- [ ] Treasury is segregated into hot/warm/cold tiers
- [ ] Key rotation occurs at least quarterly
- [ ] Off-hours coverage ensures someone is watching 24/7
If you scored less than 7/10, your protocol is at risk — regardless of how many audits you've passed.
Closing Thought
Step Finance's STEP token went from $0.08 to $0.005 in an hour. Three products shut down. Careers ended. Users lost money.
All because someone opened the wrong email.
The next Step Finance won't be hacked through a smart contract. It'll be hacked through a Slack DM, a fake job offer PDF, or a "routine security update" that isn't routine at all.
The question isn't whether your code is secure. The question is whether your team is.
This is part of our ongoing DeFi Security Research series. Previous articles covered Forta detection bots, ERC-4337 smart account security, and Solana program security checklists.
Top comments (0)