Crypto news

24.06.2026
17:04

SecondFi Exploit: 16 Million ADA Leaked Due to Key Generation Vulnerability

hack

On June 23, the SecondFi team announced a critical security issue in its wallet on the Cardano blockchain, immediately putting the platform into safe maintenance mode. Users temporarily lost the ability to conduct operations through the interface while developers assessed the scale of the breach.

The very next day, on June 24, SecondFi confirmed that attackers had withdrawn approximately 16 million ADA from 374 addresses. Based on the ADA exchange rate of about $0.146 at the time of the incident, the damage is estimated at roughly $2.4 million.

Emergency measures and the nature of the vulnerability

To prevent a complete loss of funds, the SecondFi team launched emergency protection protocols. "Measures were taken to protect the available 129 million ADA. These funds are being directed to an independent qualified third-party custodian, where they are held in the interests of the affected addresses," project representatives stated.

Analysis showed that four withdrawal events occurred during the incident. Three of them were carried out by attackers, while the fourth was likely related to the team's own movement of the aforementioned 129 million ADA to protect assets. Notably, SecondFi did not directly disclose the details of this transfer.

Immunefi CEO Mitchell Amador noted that the problem lies in the project's own software: it exposed the private keys that it itself generated. Thus, the vulnerability affected not the Cardano blockchain, but the wallet module responsible for key generation. This is why SecondFi strongly recommended that users not restore the seed phrase in other Cardano-based wallets — the risk remains.

IOG's position and the founder's reaction

Cardano founder Charles Hoskinson was quick to distance himself from the incident. In his statement, he emphasized: "We have nothing to do with SecondFi. We have no stake, control, ownership, or business relationship. It's like asking Apple if they will fix a problem with a Microsoft product." He also noted that IOG did not write code for SecondFi and is not associated with it.

It is important to note that behind SecondFi (formerly known as Yoroi Wallet) is EMURGO — one of the key players in the Cardano ecosystem. In its documentation, EMURGO describes itself as a co-founder of the blockchain that drives commercial adoption of the technology. However, Hoskinson made it clear that IOG does not control EMURGO and cannot speak on its behalf.

This incident once again raises security questions in the DeFi sector. In my view, the main lesson here is that even respected projects behind infrastructure solutions can make fatal errors at the code level. Cardano users should be especially vigilant and verify the reliability of the wallets they use, especially if they generate keys. While founders wash their hands of the matter, the responsibility for asset safety still falls on the end user.