Step Finance Suffers $30M Solana Treasury Hack

Treasury Wallets Compromised in Targeted Attack

Step Finance, a well-known analytics and portfolio management platform in the Solana ecosystem, has confirmed a serious security breach that resulted in the loss of roughly 261,854 SOL, valued at around $30 million at the time of the attack.

In a statement published on X, the Step Finance team revealed that multiple treasury and fee wallets were compromised. The attackers reportedly unstaked and transferred the SOL to unknown addresses, indicating a direct compromise of wallet access rather than a flaw in the protocol’s smart contracts. An internal investigation is currently underway, and the team has contacted external cybersecurity firms while urging anyone with relevant information to come forward. 

Crucially, early indications suggest user funds were not directly affected, as the breach appears limited to project-held treasury wallets. Even so, the scale of the loss has sent shockwaves through the Solana DeFi ecosystem.

TVL Wiped Out as Market Reacts Swiftly

The market response was immediate and brutal. According to data from CoinGecko, Step Finance’s native $STEP token plunged roughly 84%, falling to around $0.42 at the time of reporting.

Meanwhile, DeFiLlama shows Step Finance’s total value locked (TVL) has collapsed to zero, reflecting the full depletion of protocol-controlled assets. While TVL does not account for off-chain treasury funds, the data underscores how deeply the exploit has impacted the platform’s on-chain footprint.

The incident has once again reignited concerns around operational security, particularly how DeFi projects manage private keys, staking permissions, and access controls for high-value wallets.

A Familiar Pattern in Recent Solana DeFi Hacks

Unfortunately, Step Finance’s case fits a worryingly familiar pattern. Recent Solana-based attacks have increasingly focused on administrative and treasury vulnerabilities, rather than exploiting user-facing smart contracts.

One notable parallel is the CrediX exploit, where attackers gained control of an administrator wallet and drained $4.5 million. Although user funds were not directly targeted, the aftermath was chaotic. The team initially promised reimbursements and negotiations with the hacker, but later deleted its X account and shut down its website, triggering widespread accusations of a rug pull.

Another case, the Loopscale exploit, resulted in losses exceeding $5 million shortly after launch. That incident also stemmed from an operational weakness but ended differently, with the team negotiating a 10% bounty settlement with the attacker.

Perhaps the most high-profile comparison is the Upbit Solana-related hack in November 2025, where over $35 million was drained from a hot wallet due to insufficient withdrawal controls. While Upbit is a centralized exchange, the attack highlighted similar risks tied to hot wallet exposure and access mismanagement.

Bigger Questions for DeFi Treasury Security

What makes the Step Finance incident particularly concerning is that it targets core operational infrastructure rather than experimental code. Treasury wallets, fee collectors, and staking authorities often sit outside the scope of formal audits, yet they can control tens of millions of dollars in assets.

As Solana DeFi continues to grow, attackers appear increasingly focused on the human and operational layer - leaked keys, compromised signing devices, and poor access segmentation - instead of complex smart contract exploits.

For now, Step Finance’s future hinges on transparency, communication, and whether any portion of the stolen SOL can be recovered. For the wider ecosystem, the message is clear: treasury security is no longer a back-office concern - it’s existential.