Crypto news

24.06.2026
09:30

SecondFi hack on Cardano: damage assessment diverges eightfold — actual losses may exceed $20 million

The Cardano ecosystem has faced a serious security incident. The SecondFi project, previously known as the popular Yoroi wallet, has confirmed a critical vulnerability in its proprietary wallet generation software. According to preliminary data from the team, the direct damage is estimated at approximately 16 million ADA (about $2.4 million), but independent analysis points to far more extensive consequences.

Yu Xian, founder of the security company SlowMist, conducted his own investigation and concluded that actual user losses could exceed $20 million. Analysis of the attacker's fund movements and activity of compromised wallets shows that assets worth up to 129 million ADA and other tokens may be at risk. This is almost eight times higher than the project's own initial estimate.

What is the essence of the vulnerability and why is the discrepancy in numbers so large?

The problem lies in the private key generation algorithm. SecondFi's internal software created keys with predictable randomness, allowing the attacker to compute them and gain access to funds. Initially, 178 compromised wallets were reported, but SlowMist's data indicates that some vulnerable addresses have not yet been drained. This means the threat persists for anyone who created a wallet through this software, even if their funds have not been touched yet.

It is important to understand the context: SecondFi is a rebranded Yoroi, one of the oldest and most popular "light" wallets for Cardano, developed by EMURGO, one of the three co-founders of the blockchain. It was used by over a million ADA holders. The rebranding only occurred in early June 2026. Thus, the reputational blow to a project affiliated with key ecosystem players is far more severe than an attack on an anonymous DeFi project.

Project actions and recommendations

SecondFi immediately suspended operations, entered maintenance mode, and took a snapshot of user balances. The team urges everyone who created a wallet through their software to transfer assets to wallets from other services as soon as possible. The investigation continues with the involvement of third-party blockchain security auditors. The exact amount of losses is promised to be disclosed after the completion of the technical audit.

My analysis: This incident is not just another hack. It is a systemic failure at the level of Cardano's fundamental infrastructure. A vulnerability in the code responsible for private key generation is the worst nightmare for any blockchain. It undermines trust in the very principle of secure storage. The fact that independent experts estimate the damage several times higher than the project itself indicates either an incomplete internal investigation or an attempt to mitigate initial panic. In any case, this case will be a serious test for Cardano and its community regarding their ability to respond quickly and transparently to critical threats.