# RugTrace Investigation Report

![Case-level investigation graph](/case-reports/step-finance-treasury-breach-2026-02/graph.svg)

**Case Reference:** `case:step-finance-treasury-breach-2026-02`
**Report Generated:** 2026-05-01T10:19:47.732Z
**Network:** Solana Mainnet-Beta

---

## 1. Executive Summary

This report examines the reported Step Finance treasury wallet compromise, which is alleged to have resulted in a loss range of **$27 million to $40 million** in SOL/token assets. The incident is dated between **2026-01-31 and 2026-02-05** and is classified as a **critical severity** event.

The available data represents a **case-level aggregation** of source-reported entities and candidate transaction fixtures. No verified on-chain Solana transaction signature has been attached to this case yet. The fund flow described herein is based on source-reported information and should be treated as **unverified until manual review is completed**.

A single large movement of approximately **27,000,000 USD/SOL equivalent** is reported from the Step Finance treasury wallet to a merged attack source node. Subsequent risk of centralized exchange (CEX) cashout has been flagged by external sources, though no confirmed exchange attribution exists.

---

## 2. Input Transaction

| Field | Value |
|---|---|
| **Signature** | `case:step-finance-treasury-breach-2026-02` |
| **Block Time** | 2026-05-01T10:19:47.732Z |
| **Signer(s)** | Step Finance treasury breach |
| **Native Balance Deltas** | None recorded |
| **Token Balance Deltas** | None recorded |
| **Program Interactions** | Step Finance (protocol context) |

**Important Caveat:** This signature is a **case-level identifier**, not a confirmed on-chain Solana transaction. The graph metadata explicitly warns that candidate transactions need manual role review before being treated as verified exploit transactions.

---

## 3. Victim-Side Fund Flow

**Identified Victim Wallet:** `Step Finance treasury breach`

| Step | From | To | Amount | Token | Interpretation |
|---|---|---|---|---|---|
| 1 | Step Finance treasury breach | Merged attack source | 27,000,000 | USD/SOL | Reported treasury wallet compromise |

**Narrative:**

The Step Finance treasury wallet is reported to have been compromised, resulting in a large single-hop outflow of approximately **27,000,000 USD/SOL equivalent** to a merged attack source entity. This movement is described by source reports as a "treasury wallet compromise." The reported loss range extends up to **$40 million**, suggesting additional movements may exist beyond what is captured in this case-level graph.

No intermediate wallets or splitting patterns are visible in the current graph at the examined depth (3 hops). The victim wallet carries a risk score of **0.35**, reflecting its role as a legitimate protocol treasury rather than a suspicious entity.

---

## 4. Suspect-Side Fund Flow

**Identified Suspect Wallet:** `Merged attack source` (Risk Score: **0.92**)

| Step | From | To | Amount | Token | Interpretation |
|---|---|---|---|---|---|
| 1 | Merged attack source | CEX transfer risk source | 0 | SOL | Source discusses CEX-transfer recovery risk; not confirmed exchange attribution |

**Narrative:**

The merged attack source node aggregates reported suspicious flow linked to this case. It is flagged with a high risk score of **0.92** and is labeled as a case-level merged node from source-linked transactions and entities.

A potential connection to centralized exchange (CEX) cashout infrastructure is noted via an edge to the **CEX transfer risk source** node. However, the transfer amount recorded is **0 SOL**, indicating this is an **informational risk flag** rather than a confirmed on-chain transfer. The source material discusses CEX-transfer recovery risk but does not provide confirmed exchange attribution.

The graph also shows the suspect node interacting with:
- **Solscan search** — a blockchain explorer tool (informational)
- **Step Finance program** — the affected protocol (contextual)

---

## 5. Wallets Involved

| Node ID | Type | Role | Label | Risk Score |
|---|---|---|---|---|
| `victim-step-finance-treasury-breach-2026-02` | Wallet | Victim | Step Finance treasury breach | 0.35 |
| `case-step-finance-treasury-breach-2026-02` | Wallet | Suspect | Merged attack source | 0.92 |
| `entity-step-finance-treasury-breach-2026-02-1-solscan-search` | Wallet | Intermediate | Solscan search | 0.52 |
| `entity-step-finance-treasury-breach-2026-02-2-cex-transfer-risk-source` | Wallet | Cashout Candidate | CEX transfer risk source | 0.52 |

**Programs:**

| Node ID | Type | Role | Label | Risk Score |
|---|---|---|---|---|
| `entity-step-finance-treasury-breach-2026-02-0-step-finance` | Program | Program | Step Finance | 0.52 |

**Memory/Pattern Nodes:**

| Node ID | Type | Role | Label | Risk Score |
|---|---|---|---|---|
| `memory-step-finance-treasury-breach-2026-02` | Pattern | Memory | One-hop Cashout Candidate | 0.86 |

---

## 6. Evidence Table

| Signature | From | To | Amount | Token | Interpretation |
|---|---|---|---|---|---|
| `case:step-finance-treasury-breach-2026-02` | victim-step-finance-treasury-breach-2026-02 | case-step-finance-treasury-breach-2026-02 | 27,000,000 | USD/SOL | Reported treasury wallet compromise |
| `case:step-finance-treasury-breach-2026-02` | case-step-finance-treasury-breach-2026-02 | entity-step-finance-treasury-breach-2026-02-2-cex-transfer-risk-source | 0 | SOL | Source discusses CEX-transfer recovery risk, not confirmed exchange attribution |

---

## 7. Pattern Matches

Five pattern matches were identified from persistent memory and case library. Listed by descending confidence:

| Pattern ID | Label | Confidence | Source | Key Evidence |
|---|---|---|---|---|
| `case_memory_carrot-drift-exposure-2026-04` | Protocol Exposure Cascade | **0.84** | Case Library | Rapid movement (0.0 min), known program interaction, large single-hop movement of 27M units |
| `case_memory_hawk-tuah-2024` | Fast Fund → Launch → Drain | **0.75** | Case Library | Rapid movement (0.0 min), known program interaction, large single-hop movement of 27M units |
| `case_memory_jenner-2024` | Fast Fund → Launch → Drain | **0.75** | Case Library | Rapid movement (0.0 min), known program interaction, large single-hop movement of 27M units |
| `pattern_fast_fund_launch_drain` | Fast Fund → Launch → Drain | **0.65** | Pattern | Rapid movement (0.0 min), known program interaction |
| `memory_cmomib55r000l7k9gp9wg7r9l` | Split-and-Scatter Exit | **0.57** | Memory | Rapid movement (0.0 min), known program interaction, large single-hop movement of 27M units |

**Interpretation:**

The highest-confidence match is the **Protocol Exposure Cascade** pattern (0.84), which describes a sequence of vault exposure → linked positions → recovery snapshot → withdrawal deadline. This may suggest the Step Finance breach involved layered protocol exposure rather than a simple direct drain.

Multiple **Fast Fund → Launch → Drain** patterns also match with moderate-to-high confidence (0.65–0.75). These patterns typically describe wallets receiving funding shortly before suspicious activity, then rapidly draining or redistributing funds. The similarity to the $HAWK and $JENNER case patterns is noted but should not be interpreted as a direct connection to those incidents.

The **Split-and-Scatter Exit** pattern (0.57) has lower confidence and no split pattern is currently visible in the graph features (`hasSplitPattern: false`), suggesting this match may be partially applicable or that additional hops beyond the current depth may reveal splitting behavior.

---

## 8. Confidence and Limitations

### Confidence Assessment

| Aspect | Rating | Notes |
|---|---|---|
| **Victim Identification** | Medium | Source-reported; Step Finance is a known protocol |
| **Suspect Identification** | Low–Medium | Merged attack source is a case-level aggregation, not a verified wallet |
| **Fund Flow Accuracy** | Low | No verified on-chain transaction signature attached; case-level identifier used |
| **CEX Cashout Link** | Low | Informational risk flag only; amount is 0; no confirmed exchange attribution |
| **Pattern Match Relevance** | Medium | Multiple patterns match with moderate-to-high similarity |

### Key Limitations

1. **No verified on-chain transaction:** The graph metadata explicitly warns that candidate transactions need manual role review. The signature `case:step-finance-treasury-breach-2026-02` is a case-level identifier, not a confirmed Solana transaction.
2. **Merged suspect node:** The "Merged attack source" is a case-level aggregation of source-linked transactions and entities, not a single verified wallet address.
3. **Graph depth:** The investigation is limited to

## 6. Evidence Table
| Signature | From | To | Amount | Token | Timestamp | Interpretation |
|---|---|---|---:|---|---|---|
| `case:ste...026-02` | `victim-s...026-02` | `case-ste...026-02` | 27000000.000000 | USD/SOL | unknown | reported treasury wallet compromise |
| `case:ste...026-02` | `case-ste...026-02` | `entity-s...source` | 0.000000 | SOL | unknown | Source discusses CEX-transfer recovery risk, not confirmed exchange attribution. |