SecondFi Exploit on Cardano: Private Keys Leaked, 16 Million ADA Stolen
On June 23, the SecondFi team, formerly known as Yoroi Wallet, announced a critical vulnerability in their wallet on the Cardano blockchain. The platform was immediately switched to safe mode, and user access to operations through the interface was temporarily blocked. Developers launched a large-scale investigation into the incident.
Scale of the Attack and Emergency Measures
The very next day, June 24, SecondFi confirmed that attackers managed to withdraw approximately 16 million ADA from 374 addresses. Based on my estimates, given the ADA rate of about $0.146 at the time of the incident, the direct losses amounted to roughly $2.4 million. However, as the analysis showed, this is just the tip of the iceberg.
The SecondFi team stated that emergency protection protocols were activated to prevent a total loss of funds. As a result, 129 million ADA were saved, which are now being sent to an independent qualified third-party custodian. These funds will be held in the interests of the affected addresses. It is important to note that a total of four withdrawal events were recorded: three were carried out by hackers, and the fourth was presumably an initiative by the team itself to move protected assets.
Root of the Problem: Key Generation
Mitchell Amador, CEO of Immunefi, pointed out a key detail during the investigation: SecondFi's software exposed the private keys that it itself generated. This is a fundamental vulnerability at the wallet architecture level, not the Cardano blockchain itself. This is precisely why SecondFi strongly recommended that users not attempt to recover their seed phrase in other Cardano-based wallets — the risk of compromise remains.
This incident is a stark example of how an error in the key generation module can lead to catastrophic consequences, despite the overall security of the blockchain. Users should double-check who exactly is responsible for the security of their seed phrase.
Ecosystem Reaction and IOG's Position
Charles Hoskinson, founder of Cardano, was quick to distance Input Output Global (IOG) from the incident. He emphasized that SecondFi is not an IOG product, and the company has no stake, control, or business relationship with this project. "We did not write this code and are not associated with it," Hoskinson stated, comparing the situation to asking Apple to fix a Microsoft product.
However, it is worth noting that behind SecondFi stands EMURGO — one of the three key co-founders of the Cardano blockchain. In its documentation, EMURGO describes itself as a stimulator of commercial adoption of the technology. This conflict of interest and the attempt to distance itself from the problems of a subsidiary product raises serious questions about the decentralization of governance within the ecosystem.
My analysis: This exploit is not just a technical failure, but a serious blow to Cardano's reputation as an ecosystem with advanced security. The fact that the vulnerability arose at the key generation level in a product from one of its co-founders calls into question the audit and quality control models in projects associated with EMURGO. While IOG distances itself, the community will have to deal with the consequences on its own, and trust in Cardano's "scientific" approach has suffered another crack.