Key Takeaway:
- Step Finance shutting down after $27M treasury breach via off-chain key exposure.
- 261,854 SOL unstaked and transferred from project wallets; STEP token plunged sharply.
- Company pursuing buyback using pre-hack snapshot; Remora rTokens redeemable and asserted 1:1.
Step Finance, a Solana-based DeFi platform, has ceased operations following a treasury breach estimated at roughly $27 million on Jan. 31, 2026. The compromise targeted project-controlled wallets and sparked a collapse in the STEP token.
This report compiles verified disclosures and on-chain reviews to explain the shutdown, quantify the loss, and outline what has been communicated to token holders. Figures and characterizations are constrained to stated disclosures and on-chain reviews.
On Jan. 31, Step Finance disclosed that several treasury and fee wallets were compromised via an off-chain key exposure rather than a smart-contract flaw, as explained by Halborn. The description indicates weaknesses in endpoint security or signing infrastructure.
Approximately 261,854 SOL, valued around $27–30 million at the time, were unstaked and transferred from project-controlled wallets, based on data from CertiK. The movement of funds coincided with a steep drawdown in the STEP token.
After evaluating fundraising or acquisition options, the company announced it would cease operations and implement a STEP token buyback using a pre-hack snapshot, with a redemption process for Remora Markets rTokens, as reported by TheStreet. The redemption instruments were asserted to remain 1:1 backed.
Date and vector: the breach occurred Jan. 31, 2026, and was characterized as an off-chain key compromise. Impacted wallets were treasury and fee accounts under project control.
Scale: about 261,854 SOL moved, translating to roughly $27–30 million at the time. The figures align with on-chain transfers from compromised wallets.
Operational outcome: Step Finance is winding down, while a buyback and rToken redemption have been outlined. Execution details depend on the pre-hack snapshot and announced processes.
In its incident language, the project framed the adversary and method in familiar terms. “A sophisticated actor” used a “well-known attack vector,” said Step Finance in its post-incident statement.
Market impact: the STEP token plunged more than 90% once the breach became public, as reported by BitcoinInsider. Liquidity and confidence deteriorated alongside treasury losses.
At the time of this writing, STEP traded near $0.000606 with extremely high volatility and bearish sentiment, and a 14-day RSI around 21.8 indicating oversold conditions. These readings are descriptive rather than predictive.
Security context: researchers emphasize cold storage, threshold multisig, hardened endpoints, and formalized incident runbooks for treasury governance. The incident highlights operational security as a critical control.
Disclaimer:
Coinwy provides news and informational content related to cryptocurrency and digital assets. The information published on this site is for educational purposes only and does not constitute financial, investment, or trading advice. Cryptocurrency investments carry significant risk. Always conduct your own research and consult a qualified financial advisor before making any financial decisions.
