## https://sploitus.com/exploit?id=1C87A738-6C93-5776-A3E3-4B25371558E5
# Step Finance Stake Authority Compromise โ PoC
> **Educational Purpose Only** โ This PoC is created for security research and education
> purposes only. It runs on a local Solana validator, not mainnet.
## Quick Start
```bash
git clone https://github.com/NomosLabs-Security/poc-step-finance-2026
cd poc-step-finance-2026
solana-keygen new --no-bip39-passphrase --silent --force
yarn install
anchor build --no-idl
anchor keys sync
anchor build --no-idl
anchor test --skip-build
```
## Details
- **Exploit Date:** 2026-01-31
- **Chain:** Solana
- **Framework:** Anchor (Rust + TypeScript)
- **Loss:** ~$27.3M (261,932 SOL)
- **Recovery:** $4.7M (Token22 freeze on Remora Markets assets)
- **Expected Output:** Stake authority transfer, full treasury drain in 4 steps
- **Full Analysis:** [NomosLabs Security Intelligence Archive](https://nomoslabs.io/archive/step-finance-2026)
## Prerequisites
- [Rust](https://rustup.rs/) (v1.79+)
- [Solana CLI](https://docs.solana.com/cli/install-solana-cli-tools) (v1.18+)
- [Anchor](https://www.anchor-lang.com/docs/installation) (v0.30+)
- [Node.js](https://nodejs.org/) (v18+)
## Description
This PoC reproduces the Step Finance stake authority compromise natively on Solana
using the Anchor framework.
The test demonstrates:
1. Treasury with 261,932 SOL staked across 3 stake accounts
2. Executive device compromised โ attacker obtains stake authority credentials
3. Stake authority transferred to attacker wallet (no multisig, no timelock)
4. All stake accounts deactivated and SOL withdrawn in ~90 minutes
5. **Fixed version** with multisig + 24h timelock + 50K SOL daily cap + guardian pause
## Program Structure
- `programs/step-exploit/src/lib.rs` โ Simplified Solana staking program with vulnerable and fixed paths
- `tests/exploit.ts` โ Step-by-step exploit reproduction and mitigation tests
## Key Insight
This was NOT a smart contract vulnerability. All audits, bug bounties, and security reviews
were irrelevant because the attacker compromised executive devices โ targeting human
infrastructure rather than protocol code. The authorization model (single EOA as stake
authority) became the attack vector.
## License
MIT โ For educational use only.