How Does Step Finance Work?

DeFi|Risk C+|6 mechanisms|5 interactions

Updated February 12, 2026

A Solana portfolio dashboard and swap tool that was hacked in January 2026. An executive's personal device was compromised, and attackers stole 261,854 SOL ($30M) from the treasury. The STEP token crashed 90%. Its C- grade reflects the devastating security breach and uncertain future without treasury funding.

TVL

—

Sector

DeFi

Risk Grade

C+

Value Grade

Core Mechanisms

DeFi/Portfolio-Dashboard

Solana portfolio aggregation covering ~95% of Solana protocols with real-time position tracking

Core product is a dashboard aggregating LP positions, tokens, farms, NFTs, and yield farming across Solana ecosystem. Not a novel mechanism but a data aggregation layer.

4.1.1

Swap aggregator routing trades across Solana DEXs for best execution

Step Finance includes a built-in swap module that routes trades across Solana DEXs. Standard aggregator pattern similar to Jupiter.

3.4.2

xSTEP: reward-bearing staked token receiving 80% of protocol fees

Users stake STEP to receive xSTEP, which appreciates as protocol fees accrue. 80% of fees go to stakers, 20% to treasury. Standard revenue-sharing staking model.

2.3.1

Treasury wallets holding staked SOL and operational funds (compromised in January 2026)

Protocol treasury held 261,854 SOL in staking positions. The treasury was compromised via executive device access, not smart contract exploit. Key management was the failure point.

Yield/Auto-Compound

Automated compounding for yield farming positions across Solana protocols

Step offers automated compounding features for yield farming positions. Standard auto-compound vault pattern.

RWA/Tokenized-Stocks

Novel

Remora Markets: regulated tokenized stock trading on Solana (subsidiary)

Step's subsidiary Remora Markets brings regulated tokenized stock trading to Solana. Novel integration of traditional equities with DeFi infrastructure, though early stage.

How the Pieces Interact

Treasury wallet key management↔Executive device securityCritical

The treasury wallets were compromised through an executive's personal device, bypassing all on-chain security. The 261,854 SOL ($30M) was unstaked and drained in a single incident, demonstrating that operational security is the weakest link regardless of smart contract quality.

xSTEP staking revenue↔Treasury depletionHigh

With the treasury drained of $30M, the protocol's ability to fund development, operations, and buybacks is severely impaired. xSTEP stakers face near-zero fee revenue as platform activity collapses post-hack.

Swap aggregator routing↔Admin key accessHigh

If the device compromise exposed admin keys for the swap aggregator, attackers could potentially manipulate trade routing to extract value from users' swap transactions. The scope of the key compromise remains unclear.

Portfolio dashboard↔DeFi protocol integrationsMedium

Step's dashboard connects to ~95% of Solana protocols via APIs and on-chain reads. If the compromise extended to integration credentials, partner protocols could face indirect exposure through Step's data pipeline.

Remora Markets (tokenized stocks)↔Treasury funding dependencyMedium

Remora Markets depends on Step Finance treasury for operational funding. The $30M treasury theft threatens the viability of this subsidiary, potentially stranding users holding tokenized stock positions.

What Could Go Wrong

Treasury wallets hacked in January 2026: 261,854 SOL ($30M) stolen via executive device compromise, STEP token crashed 90%
Operational security failure: the attack exploited device-level access to treasury keys, bypassing all smart contract security
Protocol viability in question: lost treasury funding for development, operations, and subsidiary projects

Treasury Wallet Compromise Contagion

Elevated

Trigger: Following the January 2026 theft of 261,854 SOL ($30M) from treasury wallets via executive device compromise, additional treasury wallets or protocol-controlled accounts are found to be compromised

1.Investigation reveals the compromised executive device had access to additional treasury multisig keys beyond the initially drained wallets — Remaining Step Finance treasury funds and protocol-controlled staking positions are at risk of further theft
2.STEP token, already down 90%, drops further as the scope of the compromise expands beyond the initial $30M — xSTEP stakers face total loss of value; protocol fee revenue sharing becomes worthless
3.Users abandon Step Finance dashboard, migrating to competing Solana portfolio trackers (Birdeye, Phantom native) — Step Finance loses its primary value proposition as user-facing analytics platform; TVL and activity collapse
4.Step's subsidiary projects (SolanaFloor NFT analytics, Remora Markets tokenized stocks) face operational shutdown — The entire Step ecosystem collapses without treasury funding for development and operations

See all 2 collapse scenarios in the full risk report →

Risk Profile at a Glance

Mechanism Novelty2/15

Interaction Severity11/20

Oracle Surface0/10

Documentation Gaps5/10

Track Record15/15

Scale Exposure0/10

Regulatory Risk2/10

Vitality Risk6/10

C+

Overall: C+ (41/100)

Lower score = safer

More on Step Finance

Is Step Finance Safe?

Safety analysis

Is Step Finance a Good Investment?

Value analysis

Full Risk Report

All mechanisms & interactions

Related DeFi Explainers

How Does Truebit Work?D How Does Flying Tulip Work?C-How Does Makina Work?C How Does Virtuals Protocol Work?C How Does Venice AI Work?C