Step Finance Hack 2026 — $20M Exploit Analysis

Flash loan + oracle manipulation drained $20M from Solana yield vaults

Details

Full Description

Step Finance on Solana was exploited for approximately $20 million through a sophisticated flash loan attack. The attacker borrowed a massive amount of SOL via flash loan, then executed a series of rapid DEX swaps to artificially inflate the price of certain SPL tokens. With manipulated oracle prices, the attacker deposited these inflated tokens as collateral into Step Finance's yield aggregation vaults and borrowed against them at favorable ratios. After extracting funds, the attacker reversed the price manipulation and repaid the flash loan, leaving the protocol with bad debt.

Laundering Analysis

The attacker immediately bridged a significant portion of stolen SOL to Ethereum via Wormhole, converting to ETH and stablecoins. Funds were then fragmented across multiple wallets and routed through Tornado Cash and Railgun privacy protocols. A smaller portion remained on Solana and was laundered through Jupiter aggregator swaps into privacy-focused tokens. On-chain analysts traced initial movements to a funded wallet linked to previous DeFi exploits.

Sources

Related Hacks

Back to Browse