Critical SecondFi Vulnerability on Cardano: Actual Losses May Exceed $20 Million
The Cardano ecosystem has faced a serious security incident. The SecondFi project, a rebranded Yoroi wallet, acknowledged that a vulnerability was discovered in its proprietary wallet generation software. According to preliminary data from the team, direct losses amount to approximately 16 million ADA (roughly $2.4 million). However, my independent analysis and data from security experts indicate that actual losses could be significantly higher—exceeding $20 million.
Research revealed that the breach involved predictable private key generation. SecondFi's internal software created keys with insufficient entropy, allowing an attacker to compute them and gain access to user funds. Initially, 178 compromised wallets were reported, but this is just the tip of the iceberg.
Discrepancy in Estimates: Why $20 Million Is a Conservative Forecast
Leading blockchain security experts, including the founder of SlowMist, conducted their own investigation. Analysis of fund movements and activity from suspicious addresses shows that assets worth up to 129 million ADA and other tokens could be at risk. This is eight times higher than the project's own estimate.
This discrepancy is explained by the fact that some compromised wallets have not yet been drained. The attacker is likely acting selectively or waiting for victims to top up their accounts. This means the threat persists, and every user who created a wallet through SecondFi remains at risk.
Scope of the Threat and What Users Should Do
SecondFi is not an anonymous DeFi project but a rebranded Yoroi product developed by EMURGO, one of the three founding companies of Cardano. It was used by over a million ADA holders. The reputational blow to the ecosystem is immense. The project has suspended operations, entered maintenance mode, and taken a snapshot of balances. The team urges anyone who created a wallet through their software to immediately transfer assets to wallets from other services.
The exact amount of losses will be disclosed after the completion of an independent technical audit, but it is already clear: this incident is a serious wake-up call for the entire industry. Vulnerabilities in key generation code are a fundamental problem that undermines trust in the very principle of self-custody.
My expert opinion: This hack is not just a technical glitch but a systemic error in the approach to security. Cardano and other blockchain users should reconsider their habits: never trust key generation to a single source, especially if it is a "light" wallet from a major developer. Diversification and the use of hardware wallets remain the gold standard of security. The market will remember this lesson for a long time.