Step Finance, a Solana-based DeFi platform that handles portfolio management, analytics, and dashboards for the ecosystem, has suffered a serious security breach that saw the attackers get away with millions. It is not uncommon for treasuries in the DeFi sector to get attacked on Solana or other chains; however, the scale on which this one happened has once again reignited debates about security practices for project-held funds. Step Finance was hacked According to the Step Finance team on X, several of its treasury and fee wallets were compromised in the attack, which saw the attackers unstake and transfer about 261,854 SOL to unknown addresses. At the time of the incident, the price of all that Solana amounted to roughly $30 million in value. The team claimed in their X post that an investigation is underway, and some hours later, they reached out to cybersecurity firms for assistance, encouraging affected users or anyone with means to help to contact them. The phrasing from the post makes it seem the incident was a targeted compromise of the protocol’s treasury wallets rather than a smart contract exploit that affected user funds directly. Since the attack, Defillama shows Step Finance’s TVL at zero. Step Finance’s TVL is at zero since the hack. Source: Defillama While the situation is still developing, the market has already reacted to the news. According to data from Coingecko, the native $STEP token has dropped by about 84% at the time of this writing, with prices hovering around $0.4241. Recent attacks have targeted admin vulnerabilities Attacks on DeFi protocols on Solana are nothing new, but the recent attacks all seem to have common vectors like treasury wallet compromise, private key leaks, access control flaws, and smart contract exploits. The Step Finance exploit follows the pattern of operational compromise as its treasury was the target rather than user funds. Some other notable and recent DeFi-related hacks with similar vectors include the CrediX protocol exploit , the Loopscale exploit, and the Upbit Solana-related hack. The CrediX incident saw the protocol lose $4.5 million in a breach where attackers gained control of an administrator’s wallet. The case mirrors Step Finance’s current predicament closely, as it also did not involve direct user funds. However, many hope things will end differently than they did with CrediX because it was a disaster. The team had promised refunds within a day or two of the exploit, claiming it had entered a parley with the hacker. However, rather than follow through on that, the team went off the grid, deleting their X and taking down the website, which triggered allegations of a rugpull. The Loopscale incident also had a similar attack vector, losing over $5 million not long after launch due to an exploit, although it ultimately reached a parley with the hacker, settling for a 10% bounty agreement. The most high-profile attack was the Upbit Solana-related hack , which occurred in November 2025 and resulted in the South Korean exchange losing over $35 million from a hot wallet. The incident was linked to insufficient access controls on withdrawals, and it affected assets in the Solana ecosystem, echoing risks associated with treasury and hot wallets. Claim your free seat in an exclusive crypto trading community - limited to 1,000 members.
