SecondFi Exploit on Cardano: 16 Million ADA Stolen, Ecosystem on Edge
On June 23, the SecondFi team announced a critical vulnerability in its wallet on the Cardano blockchain, immediately switching the platform to safe maintenance mode. Users temporarily lost the ability to conduct transactions through the interface while developers assessed the scale of the incident. The very next day, June 24, it became known that approximately 16 million ADA had been stolen from 374 addresses. Based on my estimates, given the ADA exchange rate of about $0.146 at the time of the attack, the damage amounts to approximately $2.4 million.
Emergency Measures and Root Cause
To prevent a complete loss of assets, the SecondFi team launched emergency protection protocols. It was stated that about 129 million ADA had been preserved and were being directed to an independent qualified third-party custodian for the benefit of the affected addresses. The investigation revealed that the vulnerability lies at the address level and is related to the transaction signing process. This means that simply restoring the seed phrase in another Cardano-based wallet does not eliminate the risk — attackers could have compromised the private key generation itself. SecondFi released a fix for wallets that were not affected and recommended that all users refrain from restoring access through third-party applications.
Ecosystem Reaction and IOG's Position
The incident triggered a wave of statements from key Cardano players. Immunefi CEO Mitchell Amador noted that the problem lies solely in SecondFi's software, not in the Cardano blockchain. Cardano founder Charles Hoskinson was quick to distance Input Output Global (IOG) from the incident, emphasizing that the company has no connection to SecondFi — no stake, no control, and no business ties. Notably, behind SecondFi (formerly known as Yoroi Wallet) stands EMURGO, one of the co-founders of the Cardano ecosystem. This creates an interesting precedent: formally, IOG and EMURGO are independent entities, but for the community, they are pillars of the same ecosystem.
Analysis and Conclusions
This case is not just another exploit but a serious signal for the entire self-custody wallet industry. A hack at the key generation level undermines the very concept of "not your keys, not your coins." While SecondFi works on recovering funds, the Cardano ecosystem is undergoing a stress test. I should note that on-chain detective ZachXBT had previously criticized Cardano's operational model, calling it a "scheme for insider enrichment." This incident only adds fuel to the fire of discussions about security and decentralization. My professional advice: always verify the origin and code audit of wallets, especially those that generate keys rather than just store them. The market does not forgive negligence.