Skip to main content

SecondFi Pinpoints Cardano Wallet Exploit to Root Address Flaw



SecondFi, a self-custody wallet platform built on Cardano, says it has identified the underlying cause of an exploit that led to major theft and is now coordinating with Cardano ecosystem partners and independent investigators to contain further risk.


In its latest update, the company said it activated emergency controls that helped secure about 129 million ADA, moving the funds to an independent third-party custodian. SecondFi added that the ADA will be held for affected users while verification is completed. Earlier, it estimated that roughly 16 million ADA (about $2.4 million) had been drained across 374 addresses.



Key takeaways



  • SecondFi attributes the incident to a vulnerability in its Cardano web wallet generation software, describing an issue “at the address level” that impacts users when signing transactions.

  • While SecondFi says emergency steps secured around 129 million ADA, it warns that restoring recovery phrases elsewhere may not remove the underlying exposure risk.

  • Cardano founder Charles Hoskinson said SecondFi is not an Input Output Global (IOG) product and stressed there is no ownership or control relationship between IOG and the wallet.

  • SecondFi has not published a full post-mortem yet, but it is working with investigators and ecosystem platforms to address the exploit and guide remediation.



Emergency containment and the scale of funds affected


SecondFi said the breach was discovered after attackers were able to access user funds. On Wednesday, the platform confirmed it had located the root cause of the problem and moved into response mode with ecosystem stakeholders and blockchain investigators.


As part of its containment effort, SecondFi reported triggering emergency measures that secured approximately 129 million ADA. The company said it has transferred these assets to an independent third-party custodian and will hold them for users affected by the exploit while identities and claims are verified.


On Tuesday, SecondFi had estimated the immediate impact as 16 million ADA (around $2.4 million) across 374 addresses. The gap between the earlier “estimated affected” figure and the later “secured” amount suggests that remediation and containment actions occurred quickly enough to prevent additional movement beyond the initial drains—though SecondFi has not provided a full breakdown of how the totals relate.



What SecondFi says went wrong: a key-generation flaw


SecondFi has not released a comprehensive post-mortem, but it has issued statements outlining how the incident occurred. According to the platform, the vulnerability traced back to an address-level issue within its Cardano web wallet generation software—specifically a flaw that affects users during transaction signing.


Security firm Immunefi CEO Mitchell Amador told Cointelegraph that SecondFi’s wallet software “exposed the private keys it generated.” In his view, the blockchain itself stayed secure; instead, the risky component was the code responsible for generating or handling the cryptographic keys—an area he says is often less scrutinized than the blockchain protocol.


This distinction matters for users. Unlike failures in on-chain consensus or network-level bugs, key-generation weaknesses can be exploited off-chain in ways that may not be prevented simply by switching front ends after the fact. Once private material is compromised, attackers can reuse it to sign transactions even if the underlying chain continues to operate correctly.



Guidance to users: don’t assume a recovery phrase is “safe”


SecondFi’s remediation guidance emphasized that simply moving to another wallet may not be enough. The company said that “recovery to another platform or wallet does not mitigate the risk,” advising users not to restore recovery phrases into new Cardano wallets.


The recommendation diverged from what some community members urged. On X, for example, at least one prominent community figure encouraged users to migrate affected wallets and move funds to newly created addresses. SecondFi’s different stance indicates a concern that the exposure may persist beyond the original interface—potentially because the recovery phrase itself or the key-generation process remains unsafe when reused.


For affected users, this is a critical operational difference. If the recovery phrase is compromised or if wallet software repeatedly generates keys using vulnerable logic, restoring phrases elsewhere could recreate the same weakness. Users will likely need to follow the most conservative guidance until SecondFi and security partners publish a clearer explanation of what exactly was leaked and how far the exposure extends.



Hoskinson responds: IOG has no ownership or control over SecondFi


Cardano founder Charles Hoskinson weighed in on the broader question of responsibility. In a post on X, Hoskinson said SecondFi is not an Input Output Global product and stressed there is no ownership, control, or business relationship between the wallet and IOG.


Hoskinson also said IOG’s incident response team has been in contact with SecondFi since Monday, and that SecondFi requested an independent security audit. In a Tuesday video, he further clarified that IOG is “not Emurgo” and cannot speak on Emurgo’s behalf regarding the exploit.


SecondFi has previously been associated with a transition from the Yoroi wallet. The platform is described as having rebranded from Yoroi in April 2026. Yoroi, according to Cardano.org coverage, was originally developed by Emurgo, which frames itself as the for-profit arm of Cardano and positioned Yoroi as an open-source light wallet for ADA users.


Taken together, Hoskinson’s comments underline a common ambiguity in crypto reporting after wallet incidents: users and observers often assume that any wallet built “on Cardano” inherits oversight from the broader ecosystem. SecondFi’s situation—and Hoskinson’s explicit clarification—suggests governance boundaries remain important even when products operate in the same network.



Looking ahead, the key unknown is whether SecondFi will publish a detailed post-mortem explaining which parts of the key-generation pipeline failed and what remediation steps fully eliminate the risk. Users watching this story should pay close attention to the independent audit findings and any updates from SecondFi or Cardano security partners on how to safely move holdings without reintroducing the same weakness.



https://www.cryptobreaking.com/secondfi-pinpoints-cardano-wallet-exploit/?utm_source=blogger%20&utm_medium=social_auto&utm_campaign=SecondFi%20Pinpoints%20Cardano%20Wallet%20Exploit%20to%20Root%20Address%20Flaw%20
Labels:

Comments

Post a Comment

Popular posts from this blog

Coinbase's x402 launches AI agents app store for payments

Coinbase-backed x402 has unveiled Agentic.market, a dedicated marketplace aimed at increasing the usefulness of AI agents by aggregating thousands of apps and services that agents can access without any API keys. The rollout positions the platform as a central hub for agents to discover, evaluate, and deploy capabilities across a standardized payments layer. Coinbase product lead Nick Prince described Agentic.market in a video posted on X as a storefront for discovering, comparing, and using x402 services. The marketplace is designed to give both humans and their AI agents access to a wide range of tools—from data feeds to consumer apps—without the friction of managing API credentials. A storefront for discovering, comparing, and using x402 services. Thousands of services. Zero API keys. Powered by x402. Prince added that the market offers a web interface for humans to browse and assess services, alongside a programming layer that lets AI agents autonomously search, filter, and integra...
Post a Comment
Read more

Mastercard Launches AI Agent Pay System With Ripple and Solana Help

Mastercard has launched Agent Pay for Machines, a payments system built for autonomous software agents. The service allows AI agents to send and receive payments without direct human action. It brings Ripple, Coinbase, and Solana Foundation into Mastercard’s push for automated digital commerce. Ripple Brings XRPL and RLUSD to Mastercard’s Agent Pay System Mastercard introduced Agent Pay for Machines on June 10 as a tool for machine-led payments. The system targets high-volume and low-value transactions across business and consumer use cases. It also supports automated settlement between software agents and connected machines. Ripple will support the system through the XRP Ledger and its RLUSD stablecoin. The company said that settlement will become more important as automated commerce grows. It also sees blockchain rails as useful for fast and rule-based payments. RippleX senior vice president Markus Infanger said XRPL and RLUSD support enterprise-grade agent payments. He said the tool...
Post a Comment
Read more

Top Cryptocurrencies to Watch: BTC, ETH, BNB, XRP, Solana, Dogecoin & More

Market Analysis and Price Predictions for Key Cryptocurrencies Recent market dynamics reveal a cautious sentiment across the cryptocurrency landscape, with Bitcoin struggling to maintain levels above $90,000 and many major altcoins facing downward pressure. Indicators point toward reduced participation from both institutional and retail investors, raising concerns about a potential consolidation phase after notable gains earlier in the year. Bitcoin has fallen below $87,000, reflecting waning demand at higher price points. Institutional fund flows into BTC and ETH ETFs have turned negative, indicating a period of subdued market activity. Active addresses and Binance deposit/withdrawal activities are at annual lows, suggesting market indecision. Most leading altcoins are approaching support levels, with some poised for potential breakdowns. Tickers mentioned: Bitcoin, Ethereum, Binance Coin, XRP, Solana, Dogecoin, Cardano, Bitcoin Cash, Chainlink, Hyperliquid Sentiment: Neutral to Sli...
Post a Comment
Read more