Massive $40 Million Breach Hits Step Finance: Lessons from the Solana DeFi Treasury Compromise

In a shocking incident on January 31, 2026, Solana-based DeFi platform Step Finance revealed that hackers compromised several treasury and fee wallets, leading to losses of approximately $40 million in digital assets. The attack, attributed to compromised executive devices and a well-known vector, has halted operations and sent the native STEP token plummeting by over 90%, highlighting persistent security challenges in decentralized finance.

Step Finance, a popular portfolio management and analytics platform on the Solana blockchain, announced the breach during APAC hours on January 31, 2026. The company confirmed that a sophisticated actor accessed multiple treasury wallets, draining 261,854 SOL tokens initially valued at around $29 million, though total losses reached $40 million upon full assessment. Blockchain analysts from CertiK tracked the on-chain activity, noting the rapid unstaking and transfer of funds.

The root cause stemmed from compromised devices belonging to Step Finance executives, rather than a smart contract vulnerability. This operational security lapse allowed attackers to leverage a “well-known attack vector,” bypassing typical DeFi exploit paths. Step Finance immediately notified authorities, engaged cybersecurity firms, and implemented remediation steps, including halting certain operations for reinforcement. No user funds were directly affected, as treasury assets were isolated from client holdings.
​

Recovery efforts yielded partial success, with about $3.7 million in Remora assets and $1 million in other positions reclaimed through Token22 protections and partner coordination. Remora Markets, a Step-owned protocol, remained fully backed at a 1:1 ratio and isolated from the incident. However, the STEP token crashed 92% in a week amid market downturns, prompting warnings for users to avoid trading until a pre-exploit snapshot and holder solution are finalized.

This event underscores broader vulnerabilities in Solana’s DeFi ecosystem, which has faced multiple breaches. Unlike code exploits, this breach exposed human elements like private key management in treasury operations. Step Finance has not disclosed full attacker details or methods, fueling speculation, but confirmed collaboration with experts continues.

The crypto market’s simultaneous decline amplified impacts, with Bitcoin down 13% and Ethereum 23% in the week following. Step Finance’s $40 million loss fits into January 2026’s $398 million in crypto thefts, per CertiK, emphasizing the need for robust multi-signature controls and device security in DeFi projects.

Organizations handling crypto treasuries should prioritize endpoint detection, hardware wallets, and regular audits to mitigate such risks. As investigations progress, Step Finance aims to restore operations securely, serving as a cautionary tale for the sector.