Crypto news

24.06.2026
15:49

SecondFi Exploit: 16 Million ADA Drained Due to Fatal Key Generation Vulnerability

hack

On June 23, SecondFi, a platform specializing in DeFi solutions for the Cardano blockchain, was forced to urgently switch its services to safe maintenance mode. The cause was a critical vulnerability in the project's wallet, which led to a large-scale leak of funds. Developers immediately blocked user operations to assess the scale of the disaster and prevent further draining of wallets.

Scale and Mechanism of the Attack

The very next day, June 24, the SecondFi team confirmed the worst fears: attackers successfully compromised 374 addresses and withdrew approximately 16 million ADA from them. At the current exchange rate, which at the time of the incident was roughly $0.146 per token, the damage is estimated at $2.4 million. It is important to emphasize that this is just the "tip of the iceberg" — the attack could have been far more devastating.

As the investigation revealed, the vulnerability was not at the Cardano blockchain level, but directly in the private key generation module of the SecondFi wallet. Essentially, the project's software "exposed" these keys, making them accessible to attackers at the moment a user signed a transaction. This explains why simply switching platforms or restoring a seed phrase in another wallet would not have solved the problem — the danger was embedded in the very architecture of the application.

Emergency Measures and Rescue of 129 Million ADA

In response to the active attack, the SecondFi team took unprecedented measures. To prevent a complete loss of liquidity, they manually moved 129 million ADA to the address of an independent qualified custodian. These funds are secure and intended for subsequent distribution among affected users. A total of four major withdrawal events were recorded: three were the work of hackers, and the fourth was the team's own operation to rescue assets.

Ecosystem Reaction and IOG's Position

The incident caused a wave of tension in the Cardano community. Blockchain founder Charles Hoskinson and his company Input Output Global (IOG) were quick to distance themselves from what happened. Hoskinson directly stated that SecondFi is not an IOG product, that they have "no stake, no control, no business relationship." He compared the situation to asking Apple to solve a problem with a Microsoft product. However, it is worth noting that SecondFi (formerly known as Yoroi Wallet) is owned by EMURGO, which positions itself as one of the co-founders of the Cardano ecosystem.

Expert opinion: This incident is a stark example of how a fundamental error in the security architecture of one application can undermine trust in an entire blockchain, even if the Cardano protocol itself was not hacked. For the community, this is a wake-up call: the network's reputation is built not only on the reliability of the base layer but also on the quality of the software running on it. Restoring trust after such a leak could take months, and this is a lesson for all DeFi projects that cut corners on auditing key generation code.