Research

Silence to Splash: The Step Finance Hacker’s Five-Month Contingency Plan

CryptoCred

The transaction sat dormant for 152 days.

A wallet holding $21.4 million in stolen SOL. No movement. No exit. The market forgot. Then, on a Tuesday, it blinked.

Between 04:17 and 06:42 UTC, the attacker executed a coordinated liquidation: SOL → USDC → ETH → Tornado Cash. Five transactions. Zero alarms. A textbook rebalancing of risk.

This is not a story of new technology. It is a story of operational latency.

The gap between exploitation and liquidation often reveals the true architecture of DeFi risk. When funds move after months of silence, the question isn't just how—it's why now.

Context: The Step Finance Exploit, Revisited

Step Finance is a portfolio dashboard and analytics platform on Solana. In November 2024, an attacker exploited a smart contract vulnerability—details remain under NDA due to ongoing investigation—to drain approximately 214,000 SOL (valued at $21.4 million at the time). The exploit was surgical: the attacker minted unbacked tokens against the protocol's liquidity pools and swapped them for native SOL within minutes.

For five months, the stolen SOL sat untouched. The market moved on. Solana's price recovered. Step Finance patched the bug, published a post-mortem, and resumed operations.

Then movement.

On April 15, 2025, Lookonchain flagged the wallet. The attacker had split the funds into smaller batches, routed through multiple Solana decentralized exchanges (Jupiter aggregator, Raydium, Orca), bridged to Ethereum via Wormhole, swapped ETH for USDC on Uniswap, and finally deposited the proceeds into Tornado Cash.

Clean. Efficient. Boring.

Core: Systematic Teardown of the Money Laundering Pipeline

Let's break the operation into its atomic steps. Each stage represents a deliberate choice with measurable trade-offs in cost, speed, and privacy.

Phase 1: Liquidation on Solana

The attacker held SOL. Pure native asset. No token mixers on Solana with comparable anonymity to Tornado Cash. The first decision: dump or swap?

Dumping 214,000 SOL on a single DEX would cause severe slippage—potentially 3-5% on a pool with $10 million in liquidity. The attacker chose distribution.

Over a 2.5-hour window, the wallet executed 17 swaps across three DEX aggregators. Average slippage: 0.12%. Execution cost: 0.8 SOL in fees. The aggressor effectively simulated a market order without triggering price impact alerts—a technique I've reverse-engineered in past liquidity audits. It relies on routing through small-order-book pools and sandwich-resistant aggregators.

The output: approximately 21.2 million USDC (after slippage and fees).

Phase 2: Bridging to Ethereum

Why not stay on Solana? Tornado Cash v2 (deprecated) ran on Ethereum. No equivalent privacy protocol on Solana offers the same guarantee of unlinkability. The choice of bridge: Wormhole.

Wormhole is a generic message-passing protocol. For this transaction, the attacker used the canonical token bridge—locking USDC on Solana, minting Wormhole-wrapped USDC on Ethereum. The cost: ~0.5 SOL + $200 in Ethereum gas. The latency: 2 minutes.

Alternative: could have used native USDC (Circle-issued) via CCTP. But CCTP requires burning on source chain and minting on destination—that leaves a permanent public record of the exact amount burned. Wormhole's wrapped tokens allow the attacker to later unwrap and rewrap, adding a layer of obfuscation.

Phase 3: Conversion to Native ETH

On Ethereum, the attacker converted wrapped USDC to native ETH. The choice: Uniswap v3 on the USDC/ETH 0.05% fee tier.

One swap. $500 in gas. 0.02% slippage. Why ETH? Tornado Cash requires ETH for both deposit and gas. The attacker likely bought exactly 21,000 ETH (current rate ~$1,000 per ETH). No leftover, no dust.

Phase 4: Deposit into Tornado Cash

The attacker split the 21,000 ETH into 100 deposits of 100 ETH each into Tornado Cash's standard pool (100 ETH denomination). Each deposit generates a separate commitment—a private key known only to the depositor. Withdrawals use zero-knowledge proofs to break the link between deposit and withdrawal.

Cost: 100 transactions × ~0.01 ETH gas = 1 ETH total. Time: 3 hours.

The funds are now effectively untraceable on-chain. Any further analysis—IP addresses, exchange KYC—requires off-chain investigation.

s heart.

The entire operation took less than 8 hours. The attacker executed with the precision of a professional liquidation desk. No mistakes. No leftover tokens. No traceable metadata.

Contrarian: What the Bulls Got Right

Now the uncomfortable part.

The market reacted to this news with mild FUD: “Solana security is broken,” “Stolen funds are still moving,” “Regulation will crack down on privacy.”

Bull case: This event changes nothing.

First, the Step Finance vulnerability was patched five months ago. No new exploit. No systemic failure. The movement of funds was expected—any rational attacker would eventually liquidate. The delay actually signals sophistication, not vulnerability.

Second, the laundering technique is standard. The same pipeline—DEX swap, bridge, Tornado Cash—has been used in over 80% of DeFi hacks since 2021. This is not a unique attack vector; it's the established worst practice.

s heart.

Third, the impact on Solana's fundamentals is zero. Solana's TVL grew 40% in Q1 2025 despite the dormant funds. Active developers increased. The attacker's action is a drop in a $200 billion ecosystem.

Where the bulls are wrong: they dismiss the regulatory tail risk.

The use of Tornado Cash—sanctioned by OFAC since August 2022—means any U.S. person interacting with these funds (even unwittingly) is committing a crime. If the attacker's withdrawn ETH ends up on a centralized exchange via a privacy bridge, that exchange could face enforcement action.

More critically, the seamless execution of this pipeline exposes the inadequacy of current AML controls. DeFi aggregators and cross-chain bridges remain largely unregulated. The Treasury Department is watching.

Takeaway: The Accountability Conundrum

This is not a story about Step Finance or even about the hacker. It's a story about the gap between code and consequence.

The attacker operated entirely within the bounds of protocol rules. Smart contracts executed as written. The DAO didn't vote to block. No central authority intervened. The system performed exactly as designed.

s heart.

So who is accountable? The audit firm that missed the vulnerability? The DEX aggregator that facilitated the swap? The bridge engineer who deployed the Wormhole contracts? The Ethereum core developer who maintains the EVM?

None of them. The answer: no one. And that, precisely, is the risk.

Until the industry designs accountability mechanisms that scale with capital flows, every $21 million pile will eventually follow the same path. Code is law—until it isn't. And that means the law is whatever the most rational hacker decides it is.

The silence is over. The money is gone. The lesson remains incomplete.