Step Finance
Contents
Step Finance - Rekt
Ninety minutes and one compromised laptop separated Step Finance from $27.3 million.
The smart contracts worked flawlessly. The humans didn't.
Just someone's executive device getting owned by what the team called "a well known attack vector" - the kind of phrasing that screams phishing email without actually saying it.
Step Finance had checked all the boxes: Audited contracts, bug bounties, public security reviews, a Solana-focused media outlet, and plans to tokenize equities on Solana.
261,854 SOL unstaked and gone before breakfast, leaving their STEP token down 93% and their "front page of Solana" branding aging like milk in the summer sun.
CertiK flagged the bleeding while Step Finance scrambled for cybersecurity DMs, eventually recovering $4.7 million through Token22 protections - a consolation prize on a $27.3 million education.
When your code passes every audit but your executives fail basic email hygiene, what exactly are security reviews protecting?
Credit: CoinTelegraph, StepFinance, Piotr Rzonsowski, CertiK, Chainalysis, …
Ninety minutes and one compromised laptop separated Step Finance from $27.3 million.
The smart contracts worked flawlessly. The humans didn't.
Just someone's executive device getting owned by what the team called "a well known attack vector" - the kind of phrasing that screams phishing email without actually saying it.
Step Finance had checked all the boxes: Audited contracts, bug bounties, public security reviews, a Solana-focused media outlet, and plans to tokenize equities on Solana.
261,854 SOL unstaked and gone before breakfast, leaving their STEP token down 93% and their "front page of Solana" branding aging like milk in the summer sun.
CertiK flagged the bleeding while Step Finance scrambled for cybersecurity DMs, eventually recovering $4.7 million through Token22 protections - a consolation prize on a $27.3 million education.
When your code passes every audit but your executives fail basic email hygiene, what exactly are security reviews protecting?
Credit: CoinTelegraph, StepFinance, Piotr Rzonsowski, CertiK, Chainalysis, …
IoC
3C5c2F4bCeC51a36494682f91Dbc6cA7c63B514C