Step Finance Bleeds $30M in SOL as Treasury Wallets Fall to Attackers

Another day, another crypto vault gets picked clean. Step Finance, a prominent DeFi protocol on the Solana blockchain, just watched a staggering $30 million in SOL vanish into the digital ether.

The Breach: How It Went Down

Attackers didn't need to crack the main protocol. Instead, they targeted the softer underbelly: several administrative treasury wallets. The exact vector remains under investigation, but the result is crystal clear—a massive capital flight from the project's reserves. It's a stark reminder that in crypto, the smartest contract can be undone by the weakest link in operational security.

The Aftermath: Community Shock and Airdrop Questions

The news sent shockwaves through the Step community. These funds weren't just idle cash; they represented the project's war chest for development, incentives, and future growth. Immediate questions swirled around user funds secured within the main protocol and the fate of any planned token distributions. Because nothing says 'community building' like having the community's future rewards stolen first.

The Bigger Picture: DeFi's Persistent Pain Point

This incident throws a harsh spotlight on the perennial Achilles' heel of decentralized finance: treasury management. While protocols boast about being trustless and immutable, the keys to the kingdom often reside in multi-sig wallets or other centralized points of failure. It's the ultimate irony—building a fortress on a blockchain, then leaving the back door key under a digital mat.

Step Finance joins a long, expensive list of projects learning this lesson the hard way. The exploit cuts deep, not just into their balance sheet but into user confidence. The road to recovery is steep, paved with forensic audits, promised security overhauls, and the quiet hope that the market has a short memory. For now, the only thing that stepped up was the loss.

Step Finance was hacked 

According to the Step Finance team on X, several of its treasury and fee wallets were compromised in the attack, which saw the attackers unstake and transfer about 261,854 SOL to unknown addresses. 

At the time of the incident, the price of all that Solana amounted to roughly $30 million in value. The team claimed in their X post that an investigation is underway, and some hours later, they reached out to cybersecurity firms for assistance, encouraging affected users or anyone with means to help to contact them. 

The phrasing from the post makes it seem the incident was a targeted compromise of the protocol’s treasury wallets rather than a smart contract exploit that affected user funds directly. Since the attack, Defillama shows Step Finance’s TVL at zero. 

While the situation is still developing, the market has already reacted to the news. According to data from Coingecko, the native $STEP token has dropped by about 84% at the time of this writing, with prices hovering around $0.4241. 

Recent attacks have targeted admin vulnerabilities  

Attacks on DeFi protocols on Solana are nothing new, but the recent attacks all seem to have common vectors like treasury wallet compromise, private key leaks, access control flaws, and smart contract exploits. 

The Step Finance exploit follows the pattern of operational compromise as its treasury was the target rather than user funds. Some other notable and recent DeFi-related hacks with similar vectors include the CrediX protocol exploit, the Loopscale exploit, and the Upbit Solana-related hack.

The CrediX incident saw the protocol lose $4.5 million in a breach where attackers gained control of an administrator’s wallet. The case mirrors Step Finance’s current predicament closely, as it also did not involve direct user funds. However, many hope things will end differently than they did with CrediX because it was a disaster. 

The team had promised refunds within a day or two of the exploit, claiming it had entered a parley with the hacker. However, rather than follow through on that, the team went off the grid, deleting their X and taking down the website, which triggered allegations of a rugpull. 

The Loopscale incident also had a similar attack vector, losing over $5 million not long after launch due to an exploit, although it ultimately reached a parley with the hacker, settling for a 10% bounty agreement.

The most high-profile attack was the Upbit Solana-related hack, which occurred in November 2025 and resulted in the South Korean exchange losing over $35 million from a hot wallet. The incident was linked to insufficient access controls on withdrawals, and it affected assets in the Solana ecosystem, echoing risks associated with treasury and hot wallets.

Sharpen your strategy with mentorship + daily ideas - 30 days free access to our trading program