Crypto news

24.06.2026
08:26

SecondFi Hack on Cardano: Actual Damage Could Exceed $20 Million — Cryptalist Analysis

The Cardano ecosystem has faced a serious security incident. The SecondFi project, previously known as the popular Yoroi wallet, reported a vulnerability in its own wallet generation software. Although the project team estimates the damage at 16 million ADA (approximately $2.4 million), my independent analysis of blockchain data indicates much larger losses, potentially exceeding $20 million.

During the investigation, a critical flaw was identified in the private key generation algorithm. SecondFi's software created keys with predictable randomness, allowing an attacker to compute and compromise around 178 wallets. The project team confirmed the issue, is conducting an independent technical security audit, and has suspended the service, switching to maintenance mode.

Discrepancy in Damage Assessment

The founder of security company SlowMist, Yu Xian, provided data that drastically differs from the project's own assessment. Analysis of fund movements and the attacker's wallet activity shows that theoretical user losses could exceed $20 million. Moreover, according to his data, losses of up to 129 million ADA and other tokens may be linked to the incident—nearly eight times higher than SecondFi's initial estimate.

Such a gap could mean that some compromised wallets have not yet been drained but remain vulnerable. This is a classic scenario where the attacker does not rush to withdraw all funds to avoid drawing excessive attention or to wait for a more favorable moment for conversion.

Reputational Blow and Consequences

It is important to understand that SecondFi is a rebranded version of Yoroi, one of the oldest and most popular "light" wallets for Cardano, developed by EMURGO. An attack on such a respected and widely used product deals a much stronger reputational blow to the entire ecosystem than incidents involving anonymous DeFi projects.

The SecondFi team urged all users who created a wallet through their software to immediately transfer funds to other services. The exact amount of losses will be disclosed after the technical audit is completed.

Expert opinion: This incident is a harsh reminder that even time-tested solutions are not immune to fatal code errors. Cardano users should temporarily refrain from using any "light" wallets generated through SecondFi and switch to hardware solutions or self-generated wallets with a verified seed phrase. Until the audit is complete, trust in the platform should be reduced to zero.