SecondFi blames web wallet key flaw after exploit hits 374 Cardano addresses
The platform estimates ~16M ADA was affected and says emergency measures secured ~129M ADA for verified users via third-party custody.
SecondFi says an address-level flaw in its Cardano web wallet key-generation and transaction-signing flow enabled attackers to drain funds from 374 addresses, with an estimated ~16 million ADA affected. The platform says it has secured roughly 129 million ADA via emergency measures and is transferring those funds to an independent third-party custodian pending user verification.
Key Takeaways
- Around 16 million ADA (about $2.4 million) was estimated affected across 374 addresses.
- Emergency measures secured roughly 129 million ADA that SecondFi says will be held by an independent third-party custodian for verified affected users.
- SecondFi tied the breach to a vulnerability in its Cardano web wallet generation software, describing an address-level issue that impacts users during transaction signing.
- Immunefi CEO Mitchell Amador said the wallet software exposed the private keys it generated, while emphasizing the Cardano blockchain itself remained secure.
SecondFi Exploit: 374 Addresses Hit as Platform Estimates ~16M ADA Affected
SecondFi says attackers drained funds from user addresses after exploiting a vulnerability tied to its Cardano-based wallet software. The platform’s estimate, provided Tuesday relative to the Jun. 24 publication, put the impact at around 16 million ADA, or about $2.4 million, across 374 addresses.
Two things matter for market interpretation. First, the scope is being expressed at the address level, not as a chain-wide event. Second, the number is explicitly an estimate, which leaves room for revision once investigators reconcile on-chain flows with user reports and internal logs.
SecondFi describes itself as self-custodial, meaning users control their own private keys and recovery phrase rather than relying on an exchange to custody funds. That design choice is a double-edged sword in incidents like this. It reduces platform balance-sheet contagion, but it also concentrates risk in the key-generation and signing path. When that path breaks, the failure mode is direct loss from user-controlled addresses.
Emergency Custody Plan: ~129M ADA Secured and Moved to a Third-Party Holder
SecondFi says it triggered emergency measures that secured roughly 129 million ADA and that these funds are being transferred to an independent third-party custodian. The stated intent is to hold assets for affected users pending verification.
This is a notable pivot in incident handling. It reads less like ad hoc triage and more like a controlled claims process. In desk terms, that can dampen immediate sell-pressure reflexes from users who still have funds at risk, because the response is explicitly about securing assets and gating access through verification.
But it also introduces a new uncertainty vector. The custodian is not named, and the verification rules and timeline are not yet public. That matters because “independent third-party custodian” is a broad label. For traders watching ADA sentiment, the key question is whether this process is fast and transparent enough to prevent a rolling drip of new headlines, user confusion, and secondary losses.
The other structural point is custody risk. Moving assets to a custodian can reduce the chance of further on-chain drains from compromised wallets, but it replaces technical exploit risk with counterparty and process risk until the custodian identity, controls, and claims criteria are clarified.
Root Cause So Far: Address-Level Issue in Web Wallet Generation and Transaction Signing
SecondFi says it has identified the root cause of the exploit and is engaging Cardano ecosystem platforms and blockchain investigators. The company attributes the breach to a vulnerability in its Cardano web wallet generation software, tracing the root cause to an “address-level issue” that affects users when they sign transactions.
That phrasing is doing a lot of work. “Address-level” in this context points to a flaw tied to how wallet addresses and keys are generated or used during signing. SecondFi has not released a comprehensive post-mortem as of publication, so the market is operating with a directional diagnosis rather than a full technical narrative.
Mitchell Amador, CEO of security firm Immunefi, put it more bluntly: “SecondFi’s wallet software exposed the private keys it generated,” and he added that while the blockchain remained secure, the key-generation code is the “part nobody audits like a contract.” He also said attackers have increasingly shifted focus toward infrastructure that creates or stores crypto keys rather than blockchain protocols.
What stands out here is the alignment between the platform’s framing and an external security voice. Both point away from Cardano protocol compromise and toward key-management failure in wallet infrastructure. That distinction is not academic. Chain-level failures tend to reprice systemic risk across an ecosystem. Wallet-level failures tend to reprice trust in specific software stacks, and they can still spill into broader sentiment when branding and ecosystem relationships are unclear.
User Remediation Is Contested: ‘Don’t Restore Seed Phrases’ vs Community Migration Calls
SecondFi’s user guidance is unusually strict. The platform warned: “Recovery to another platform or wallet does not mitigate the risk,” and advised users not to restore their recovery phrases into new Cardano wallets.
A recovery phrase, or seed phrase, is the set of words that can recreate a wallet’s private keys and restore access to funds. If the exploit path involved private key exposure, then restoring that same seed into a new wallet interface does not change the underlying secret. It can recreate the same compromised keys.
At the same time, some community members urged users to migrate affected wallets and move funds to newly created addresses. That conflict is the near-term headline risk. When remediation advice diverges, the probability of secondary losses rises, especially for users who act quickly without a definitive, technically grounded safe path.
There is also an ecosystem positioning layer. SecondFi is described as a self-custodial platform built on Cardano that rebranded from the Yoroi wallet in April 2026. Yoroi was developed by Emurgo, which describes itself as the “for-profit arm of Cardano,” and it launched as the first open-source light wallet for Cardano.
Cardano founder Charles Hoskinson publicly distanced Input Output Global (IOG) from the incident, saying SecondFi is not an IOG product and that there is “no ownership, control, or business relationship” between the wallet and IOG. In a Tuesday video posted on X, he stressed IOG “is not Emurgo,” and said, “We didn’t write the code and we’re not connected to it.” He also said IOG’s incident response team had been in contact with SecondFi since Monday and that SecondFi requested an independent security audit.
The forward path is clear even if the details are not. Traders should watch whether SecondFi revises the ~16 million ADA estimate and the 374-address count after verification and investigator review, who the independent custodian is and how claims will be processed for the ~129 million ADA secured, and whether a comprehensive post-mortem clarifies the “address-level issue” mechanics and which user actions are definitively safe. Any updated official guidance on recovery phrases versus migration, especially if other Cardano ecosystem platforms echo or contradict SecondFi’s instructions, will likely determine how quickly this story decays.
Why This Reads as Key-Management Risk, Not a Cardano Protocol Failure
I’m treating this as a key-management incident until proven otherwise, and the evidence in hand supports that framing. SecondFi’s own attribution is to its web wallet generation software and an address-level issue during signing. Amador’s description is even more direct, saying the wallet software exposed the private keys it generated, while also stating the blockchain remained secure.
That matters because traders price different kinds of risk differently. A protocol failure is systemic. It tends to hit liquidity across the chain’s assets and applications because it calls finality and security assumptions into question. A wallet failure is narrower, but it can still punch above its weight if it triggers user flight, reputational spillover, or a prolonged drip of uncertainty.
The second-order effect I’m watching is process risk around the secured ~129 million ADA. SecondFi moving funds to an independent custodian suggests the response is transitioning from “stop the bleeding” to “adjudicate claims.” That can reduce immediate forced selling by affected users if they believe funds are being safeguarded. But it also creates a new dependency: the custodian identity, the verification rules, and the timeline. Until those are explicit, the market has to discount for operational friction and potential disputes.
Scenario one is clean containment. The custodian is identified, the verification process is published, and the affected estimate stays near ~16 million ADA with limited scope creep beyond the 374 addresses. Confirmation points are straightforward: a named custodian, a clear claims workflow, and a post-mortem that maps the address-level issue to specific unsafe actions.
Scenario two is scope expansion without protocol implications. The estimate rises after investigators reconcile additional affected addresses or flows, but the root cause remains wallet-side key exposure. That would keep the “Cardano is secure” narrative intact while extending headline duration and increasing the probability of user-driven de-risking from similar wallet stacks.
Scenario three is remediation confusion turning into secondary loss. If official guidance remains contested and users keep restoring phrases or migrating incorrectly, the incident can generate follow-on drains that look like new attacks even if they are just delayed consequences of the same key exposure. The invalidation point for the “contained key-management failure” thesis would be evidence that the Cardano protocol itself was compromised, which is not supported by the facts provided here.
My base read is that ADA’s chain-level risk premium should not reprice off this alone, but wallet and infrastructure trust can still move sentiment. The thesis is confirmed if the post-mortem and custodian process both reinforce that the failure was private-key exposure in wallet software, not a Cardano protocol break.
