Step Finance’s January 2026 treasury breach drained roughly $27 million after attackers obtained wallet-level control over treasury and fee accounts. The attack sequence involved transferring Solana stake authorization, unstaking about 261,854 SOL, withdrawing funds to attacker-controlled addresses, and reportedly routing portions through privacy tools. The postmortem frames the incident as an infrastructure and key-management failure, not a smart-contract exploit, with likely causes including compromised private keys, signing devices, inadequate multisig, or operational security weaknesses. User funds were reported as unaffected, but STEP’s market collapse showed the systemic impact of treasury compromise on protocol confidence and recovery.