Attack on SecondFi: 16 million ADA stolen due to critical vulnerability in key generation

On June 23, the SecondFi team detected a serious vulnerability in its own wallet on the Cardano blockchain. The platform was immediately switched to safe maintenance mode, temporarily blocking all user operations. Developers began an emergency assessment of the incident's scale.
By the next day, June 24, it became known that attackers had managed to withdraw approximately 16 million ADA from 374 addresses. Based on my calculations, given the ADA exchange rate of about $0.146 at the time of the attack, the direct damage amounted to roughly $2.4 million. However, as practice shows, indirect losses to the project's reputation and user trust can be many times higher.
The SecondFi team stated that emergency protection protocols were activated to prevent a total loss of funds. The remaining 129 million ADA were promptly moved to an independent qualified third-party custodian. These funds are held in the interests of the affected addresses, but the mechanism for their return has not yet been disclosed.
Detailed Analysis of the Incident
During the investigation, it was discovered that the vulnerability lies at the address level. The risk arises at the moment of signing a transaction. This means that simply moving funds to another wallet or platform does not eliminate the threat. That is why SecondFi strongly recommended that users not restore the seed phrase in any other Cardano-based wallet.
According to the team, four withdrawal events were recorded. Three of them were actions by attackers. The fourth was presumably initiated by the team itself for emergency asset protection. There is no direct confirmation of this, but the logic of emergency response allows for it.
Immunefi CEO Mitchell Amador pointed to the root cause: SecondFi's software exposed the private keys it itself generated. The problem lies not in the Cardano blockchain, but in the wallet module responsible for key generation. This is a classic example of an error at the application level, not the protocol level.
Position of Key Ecosystem Players
Cardano founder Charles Hoskinson was quick to distance himself from the incident. He emphasized that SecondFi is not a product of Input Output Global (IOG), and the company has no business relationship with this project. Hoskinson compared the situation to contacting Apple about a problem with a Microsoft product.
However, it is important to note that behind SecondFi (formerly known as Yoroi Wallet) stands EMURGO — one of the three co-founders of the Cardano blockchain. EMURGO, in its documentation, positions itself as a company driving commercial adoption of the technology. This fact creates an ambiguous situation: formally, IOG bears no responsibility, but a strategic partner of the ecosystem made a critical error.
My analysis: This incident is yet another reminder that security in DeFi and cryptocurrencies is not only about protocol reliability but also about the quality of application software code. The leakage of private keys due to a generator error is a fatal flaw that undermines trust in the entire segment. While the Cardano ecosystem demonstrates resilience at the L1 level, such incidents at the application level could significantly slow its mass adoption. The market has long demanded from developers not just functionality, but uncompromising security at all levels of the stack.