The SecondFi hack in the Cardano ecosystem: actual losses may reach $20 million
The SecondFi project, operating within the Cardano ecosystem, has confirmed a serious security incident. The cause was a vulnerability in its proprietary wallet generation software. According to the team's preliminary estimates, the direct damage amounts to approximately 16 million ADA (roughly $2.4 million), however, data from independent analysts indicates that actual losses may exceed $20 million.
An internal investigation determined that the breach originated in the Cardano wallet generator developed by the company. The team has already conducted an on-chain analysis to assess the scale of the damage and has engaged a third-party blockchain security firm to perform an independent technical audit.
Discrepancy in Damage Estimates
Yu Xian, founder of the security firm SlowMist, believes the actual damage could be significantly higher than the official figures. His analysis of the attacker's fund movements and wallet activity suggests that theoretical user losses could exceed $20 million.
According to Cos's assessment, losses linked to the incident could reach up to 129 million ADA and other tokens — far exceeding the project's own initial calculations. He noted that he tracked two suspected attacker addresses.
The roughly eightfold gap between the estimates from SlowMist and SecondFi remains significant. This could mean that some compromised wallets have not yet been drained but remain vulnerable. As long as not all assets have been withdrawn, the threat to users persists.
Why the Vulnerability is Dangerous and What Users Should Do
The threat affects the fundamental principle of self-custody of assets. The vulnerable software generated private keys with predictable randomness, putting all wallets created through this program at risk. According to the initial assessment, approximately 178 wallets were affected.
SecondFi is a rebranded version of Yoroi, one of the earliest and most popular "light" Cardano wallets, used by over a million ADA holders. It was developed by EMURGO, one of the three founding companies of Cardano, undergoing a rebranding in early June 2026. Thus, the reputational blow from this attack is felt more acutely than incidents involving anonymous projects.
The project has suspended operations, entered maintenance mode, and taken a snapshot of user balances. The team has urged anyone who created a wallet through its software to immediately transfer assets to wallets from other services. SecondFi continues its investigation and promises to disclose the exact amount of losses after the technical audit is completed.
My analysis: This incident is yet another reminder that even respected projects with a long history can contain critical code errors. Predictable key generation is a fundamental flaw that neither auditors nor developers should overlook. Cardano users should reconsider their security approaches: entrust their assets exclusively to hardware wallets or verified, repeatedly audited open-source solutions. Until the industry develops unified security standards for "light" wallets, such attacks will continue to occur.