solanahack

The Solana ecosystem has suffered a devastating blow as three interconnected platforms, Step Finance, SolanaFloor, and Remora Markets, announced immediate shutdowns following a catastrophic 27 million treasury hack that proved unrecoverable. The closure marks the end of some of Solana's earliest infrastructure pillars and raises serious questions about operational security in decentralized finance.
The Hack That Broke the Camel's Back
On January 31, 2026, Step Finance disclosed that attackers had breached "some of our treasury wallets" during APAC hours, describing it as an attack facilitated through "a well known attack vector" executed by a "sophisticated actor" . Blockchain security firm CertiK confirmed that 261,854 SOL—worth approximately 27 million—was unstaked and transferred out of compromised wallets .
The root cause wasn't a smart contract vulnerability or protocol exploit. In a February 2 confession, the team admitted: "This was a result of our executive team's devices being compromised" . Security analysts identified it as a social engineering attack—likely phishing—that gave attackers access to private keys or transaction signing capabilities .
The stolen funds represented a fatal blow to Step Finance's operational model. The platform had built its ecosystem around validator revenue-funded token buybacks and treasury-supported expansion. With the treasury drained, the financial foundation collapsed.
The Triple Shutdown
On February 23, Step Finance announced via X that it would be "winding down all operations" effective immediately, stating they "explored every possible path forward, including financing and acquisition opportunities" but were "unable to secure a viable outcome" .
The closure extends to:
- SolanaFloor: The ecosystem's prominent media outlet and NFT analytics platform, which will stop publishing new content but maintain its archives
- Remora Markets: The lending and yield protocol (formerly Moose Capital) acquired by Step in late 2024 to bring tokenized equities to Solana
SolanaFloor, which grew from "a small X account" into "one of the most widely read" Solana-focused publications, acknowledged it "tried to continue operating after the events affecting its parent company" but "could not find a sustainable route" .
Token Carnage and Recovery Efforts
The market delivered its verdict within hours of the initial hack. The STEP token plummeted 93% in 24 hours, falling from 0.023 to 0.001578 . Following the shutdown announcement, it dropped another 36% to trade at 0.00057—a staggering 99.99% decline from its August 2021 all-time high of 10.20 .
Step Finance is attempting partial remediation through:
A buyback program for STEP holders based on a pre-incident snapshotA redemption process for Remora rToken holders, with assurances that tokens remain "backed 1:1 with our broker"
The team managed to recover approximately 4.7 million through Token22's built-in security protections on Remora assets—a small consolation on a 27.3 million loss .

Industry-Wide Implications
The Step Finance collapse highlights a troubling trend in crypto security: private key compromises accounted for 88% of Q1 2025 losses, with wallet compromises driving 1.71 billion in theft during the first half of 2025 alone .
Security experts note that Step Finance had done everything "by the book"—audited contracts, bug bounties, public security reviews—yet fell victim to basic email hygiene failures . As security researcher Piotr Rzonsowski observed: "Step Finance's hack is a reminder that security is a chain, and chains break at the weakest link" .
The incident also compounds pressure on Solana's DeFi ecosystem, which has seen total value locked (TVL) drop 52% since its September peak to just 6.3 billion . Meanwhile, SOL prices have declined 74% from their January 2025 all-time high of 293 .
What Happens Next
While Step Finance co-founder George Harrap indicated that "some people have reached out on acquiring various businesses," the team is "on a time crunch" . Crypto investor Mike Dudas revealed he was contacted about a bridge round but requested a security post-mortem first—and received no response .
The triple shutdown represents more than just financial losses; it erases years of ecosystem building. Step Finance served as Solana's "front page"—a portfolio dashboard that helped users track yield farms, LP tokens, and DeFi positions across the network. SolanaFloor documented the ecosystem's growth from obscurity to mainstream adoption.
For the broader crypto industry, the lesson is clear: you can audit the code, but you cannot audit the humans. Until protocols implement robust multi-signature requirements, hardware wallet mandates for treasury operations, and comprehensive social engineering defenses, the 27 million question remains—who's checking their email?
The Step Finance treasury wallets remain visible on-chain, with the majority of stolen funds still parked in attacker-controlled addresses—a silent monument to crypto's persistent operational security crisis.
#SolanaHack