A $40M Step Finance treasury drain shows how one compromised executive device can bypass audits and unravel an entire DeFi protocol.
Everyone keeps saying “the smart contracts were safe,” and they’re right. One compromised executive device was enough to hand over treasury control, drain ~$40M, and remind everyone that in DeFi, humans are still the weakest link. Audits don’t save you from bad OpSec, and this breach is a brutal lesson in that reality.
This won’t be the last incident like this unless teams treat exec devices and key management as critical infrastructure, not an afterthought.
