$27 million to $40 million in SOL was removed from Step Finance’s treasury and fee wallets on Jan. 31, 2026, a breach that immediately triggered the wind-down of three early Solana ecosystem projects. The teams said the loss left them insolvent, unable to raise financing or find a buyer, and forced shutdowns across analytics, dashboard, and yield-related services.
The incident was described as an endpoint compromise rather than a smart-contract exploit, but it still produced outsized market damage. STEP reportedly collapsed roughly 96%–97%, and the shock hit an ecosystem that was already liquidity-thin after Solana DeFi TVL had fallen about 52% from its September 2025 peak.
Today we are announcing that Step Finance, SolanaFloor, and Remora Markets will be winding down all operations.
Following the hack at the end of January we explored every possible path forward, including financing and acquisition opportunities.
Unfortunately, we were unable to…
— Step☀️ (@StepFinance_) February 23, 2026
What happened and why it mattered
CertiK corroborated the operational nature of the breach, reporting that attackers accessed executive devices and used that access to withdraw treasury funds rather than exploiting protocol code. The teams emphasized that Solana’s network integrity was not the issue, but that compromised endpoints were enough to drain capital and confidence anyway.
That distinction matters because it shifts the risk model from code correctness to operational controls. Even well-audited contracts can be functionally defeated if the devices and signing workflows behind treasury keys are compromised.
Wind-down actions and user remediation
As part of the closure plan, Step Finance said it would run a STEP buyback program using a pre-exploit snapshot to set valuations. The buyback is positioned as a structured attempt to return value despite the treasury shortfall.
Remora Markets said it would organize a redemption process for rToken holders and stated rTokens remained backed 1:1. The redemption process depends on on-chain snapshots and sustained confidence in the remaining backing.
SolanaFloor moved into an archival mode, preserving historical content while ending new publication and editorial activity. The shift reflects a hard stop in operations rather than a temporary pause.
The teams said attempts to secure capital or sell assets failed after the incident, leaving an orderly wind-down as the only viable path. That outcome illustrates how quickly an operational breach can erase financing optionality, especially in a risk-off market.
For traders and market makers, the event amplified volatility and likely accelerated outflows from Solana DeFi as confidence reset. For institutional treasuries, it raises the operational premium of ecosystem dependency and reinforces that due diligence must include device security, key management, and segregation of duties—not only smart-contract audits.
The closures remove long-standing infrastructure from Solana and will likely push the ecosystem toward tighter standards on endpoint hardening and signing controls. Over the near term, the quality and execution of buyback and redemption timelines will determine how much value is ultimately recoverable for affected holders.
