A security incident at Step Finance has renewed concerns about treasury protection across decentralized finance. The Solana-based analytics platform confirmed that attackers compromised several treasury and fee wallets.
On-chain data showsthat a large amount of SOL was unstaked and moved in a short time window. At the time, the transferred assets carried an estimated value of about $30 million. The disclosure triggered immediate attention across the Solana ecosystem due to the size and nature of the outflow.
The team acknowledged the breach through official channels and launched an urgent investigation. Additionally, Step Finance engaged external cybersecurity firms to support forensic analysis.
The platform stated that it is still reviewing how the wallets were accessed. Consequently, attribution and recovery details remain unavailable. The incident occurred rapidly, which raised questions about prior wallet access rather than automated exploitation.
Large Treasury Outflow Raises Red Flags
Blockchain data showed that roughly 261,854 SOL was unstaked before the transfers occurred. Significantly, unstaking requires direct wallet permissions, which suggests deliberate human interaction. Analysts noted that this sequence often indicates compromised private keys. However, investigators have not confirmed the attack vector.
Besides the treasury wallets, fee-related wallets were also affected. These wallets typically hold protocol revenue, making them valuable targets. Moreover, the destination of the transferred funds remains unknown. No clear recovery timeline has been shared so far.
Despite the scale of the incident, Step Finance clarified that user funds were not exposed. The platform focuses on analytics and portfolio tracking rather than asset custody. Hence, the breach appears limited to protocol-owned assets. Still, the event unsettled the broader Solana DeFi community.
Broader Impact on Solana DeFi Security
The breach follows a pattern of treasury-focused attacks seen throughout 2025. Consequently, security teams have increased scrutiny of protocol fund management.
Market observers pointed out that rising treasury balances attract more sophisticated attackers. Additionally, volatile market conditions often accelerate such attempts.
Community responses varied after the disclosure. Some participants requested immediate transparency. Others urged patience until investigators complete their analysis.
Meanwhile, security experts stressed the importance of layered defenses. Multisignature controls, restricted access, and real-time monitoring reduce single-point failures.
Industry Pressure Builds for Stronger Controls
The incident highlighted structural risks within decentralized finance treasuries. Moreover, attackers now target institutional wallets instead of individual users.
This shift increases pressure on protocols to strengthen custody frameworks. Consequently, treasury security has become a priority topic across Solana-based projects.
Source: https://coinpaper.com/14193/step-finance-confirms-treasury-wallet-hack-after-30-m-sol-outflow
![[Time Trowel] Zamboanga City and ‘Chief of War’](https://www.rappler.com/tachyon/2026/01/zamboanga-chief-of-war-time-trowel-01312026.jpg)
