SecondFi Hack on Cardano: 16 Million ADA Leaked Due to Key Generation Vulnerability
On June 23, the SecondFi team was forced to put its platform on the Cardano blockchain into safe maintenance mode after discovering a critical security issue. Users temporarily lost the ability to conduct transactions through the interface while developers assessed the scale of the breach.
By the next day, June 24, it became known that attackers had managed to withdraw approximately 16 million ADA from 374 addresses. Based on my estimates, using the ADA exchange rate at that time (~$0.146), the damage amounted to approximately $2.4 million. This is a serious blow to trust in the project, which positioned itself as a reliable wallet.
Emergency Measures and Scale of the Problem
To prevent a complete loss of funds, the SecondFi team launched emergency protection protocols. They managed to block and redirect the remaining 129 million ADA to an independent qualified custodian. As the developers stated, these funds will be held in the interests of the affected addresses.
The investigation revealed that four withdrawal events occurred. Three of them were the work of attackers, while the fourth was likely initiated by the team itself to move protected assets. SecondFi did not directly confirm this fact, but logic suggests this sequence of events.
Root of the Vulnerability: Private Keys at Risk
The main conclusion I draw from this incident is that the vulnerability lies at the level of private key generation. As noted by Immunefi CEO Mitchell Amador, SecondFi's software exposed the keys it itself generated. This is a fundamental error in security architecture.
It is important to emphasize: the problem does not affect the Cardano blockchain as a whole. It is localized specifically in the SecondFi wallet module responsible for key creation. This is why the team strongly recommended that users NOT restore their seed phrase in other Cardano-based wallets — the risk of compromise remains.
Position of IOG and EMURGO: Distancing and Responsibility
Cardano founder Charles Hoskinson was quick to distance his company Input Output Global (IOG) from the incident. He stated that SecondFi is not an IOG product and that they have no business relationship or control over the project. "We did not write this code and are not associated with it," Hoskinson emphasized.
However, it is important to understand the context. Behind SecondFi (formerly known as Yoroi Wallet) stands EMURGO — one of the three key founders of Cardano, alongside IOG and the Cardano Foundation. EMURGO describes itself as a co-founder of the blockchain, driving its commercial adoption. Thus, while IOG is formally not responsible, the incident casts a shadow over the entire ecosystem, especially against the backdrop of recent events where a "dormant" wallet accidentally lost $6.05 million on an illiquid pool.
My analysis: This hack is not just a technical failure, but a systemic breakdown in risk management. A project that aspires to be the primary wallet for Cardano should not allow private key leaks at the generation level. Users should reconsider their risks when using any non-custodial solutions, especially those associated with young teams.