Step Finance: Compromised Executive Device → Stake Authorization Transfer
Step Finance had audited contracts, a bug bounty, and public security reviews — none of it mattered when a phished executive's laptop handed attackers the keys to 261,854 SOL ($27.3M) in 90 minutes.
Summary #
Step Finance suffered a DeFi Dashboard / Yield / Staking (also runs Remora Markets — tokenized equities) on 2026-01-31, resulting in a loss of approximately $27M.
What happened #
Step Finance had audited contracts, a bug bounty, and public security reviews — none of it mattered when a phished executive's laptop handed attackers the keys to 261,854 SOL ($27.3M) in 90 minutes.
Linked factors #
- RD-F-027 — causal : ★ Single admin EOA — when value mentions key compromise [via realtime_signals/Governance/admin action: Y — Stake authorization transfer to unknown address is the key on-chain action; Solana staking change events to fresh wallets during APAC of...]
- RD-F-101 — illustrative : Large governance proposal queued — RT signal would have fired [via realtime_signals/Governance/admin action: Y — Stake authorization transfer to unknown address is the key on-chain action; Solana staking change events to fresh wallets during APAC of...]