Crypto news

24.06.2026
15:18

SecondFi Hack: 16 million ADA leaked due to critical wallet vulnerability

hack

The Cardano ecosystem has suffered a serious reputational blow: the SecondFi platform, previously known as Yoroi Wallet, was exploited, resulting in attackers withdrawing approximately 16 million ADA. The incident was recorded on June 23, after which the project team immediately switched the platform to safe maintenance mode, blocking all user operations through the interface.

According to my data, the attack affected 374 addresses. At the time of the incident, the ADA rate was fluctuating around $0.146, translating losses to about $2.4 million. However, this is just the tip of the iceberg: the SecondFi team stated that emergency measures allowed them to protect the remaining 129 million ADA, which are now being transferred for storage to an independent qualified custodian. This indicates that the scale of the potential catastrophe was significantly larger.

Attack Details: A Problem at the Address Level

During the investigation, it was discovered that the vulnerability lies not in the Cardano blockchain itself, but in the wallet module responsible for generating private keys. As noted by Immunefi CEO Mitchell Amador, SecondFi's software simply exposed the keys it itself created. This is a fundamental flaw in security architecture.

The SecondFi team confirmed that the risk arises at the moment of signing a transaction. That is why they strongly recommended users not to attempt to restore the seed phrase in other Cardano-based wallets — this would not solve the problem, but would only expand the attack surface. A total of four withdrawal events were recorded: three carried out by the attackers, and the fourth, presumably, was an emergency transfer of 129 million ADA by the team itself to protect assets, although this is not directly disclosed.

Position of IOG and EMURGO: Who is Responsible?

Cardano founder Charles Hoskinson was quick to distance himself from the incident, stating that SecondFi is not a product of Input Output Global (IOG). He emphasized that IOG has no stake, control, or business relationship with this platform. However, it is important to understand that behind SecondFi stands EMURGO — one of the three key co-founders of the Cardano blockchain, which positions itself as the driver of commercial adoption of the technology.

This incident once again raises the issue of governance decentralization within the Cardano ecosystem. Formally, IOG and EMURGO are independent entities, but for the community, they are part of a single "core." The fact that Hoskinson calls SecondFi a "Microsoft product" in relation to IOG's "Apple" only highlights the disunity and lack of unified security standards among key players.

My analysis: This exploit is not just a technical glitch, but a serious wake-up call for the entire industry. The leak of 16 million ADA due to a fundamental error in key generation is a failure at the level of basic product design. While founders shift responsibility, users lose real funds. This case should serve as a catalyst for revising security audit standards for wallets, especially those claiming to be "primary" in their ecosystems.