Step Finance Treasury Drained of $30M SOL; Token Collapses 80%

Treasury Wallets Compromised

Solana-based dashboard Step Finance lost control of its treasury early Friday, with attackers draining approximately $30 million in protocol assets. The team confirmed the breach on X, stating that “multiple treasury and fee wallets were compromised” during the attack. The exploit did not target user deposits.

On-chain data reveals the attacker systematically unstaked 261,854 SOL before transferring the funds to external addresses. This specific sequence, unstaking followed by withdrawal, points to compromised private keys rather than a smart contract vulnerability. Security firms are currently tracing the funds, though no recovery has been made.

Market Reaction

The governance token, STEP, reacted instantly. Liquidity evaporated.

The token plummeted over 80% in the hours following the disclosure, trading down to $0.024. Step Finance uses treasury revenue to fund token buybacks, a mechanism now effectively halted by the loss of reserves. SOL itself traded lower at $110, caught in a broader market risk-off move that saw Bitcoin dip below $80,000.

Institutional Context

This incident mirrors a growing trend of administrative compromises over code exploits. Unlike the Upbit hack in late 2025, which targeted hot wallets, this breach struck at the core of a DeFi protocol’s operational runway. It forces a re-evaluation of how Solana projects manage treasury multisigs. Protocols focusing on “user fund safety” often neglect the security of their own operational capital. The result is a zombie protocol: safe for users, but financially dead.

There has been a breach of security for some of our treasury wallets… we are currently investigating.

Step Finance has engaged external forensic teams to identify the vector. User funds remain unaffected as the platform functions primarily as an analytics dashboard rather than a custodian.