Loading prices…
Zipp Zipp Advertise
Sign up Sign in
〽️NEUTRAL TheBlock

EMURGO eyes two-week ADA refund after $2.4M SecondFi exploit

Roughly 16M ADA drained from 374 addresses in three days, and the path forward runs through an unaudited third-party SDK that quietly replaced the wallet's own signing code on June 8.

EMURGO said on Saturday it has identified a recovery path for users of its SecondFi Cardano wallet and aims to begin returning assets within roughly two weeks.

The exploit drained about 16 million ADA, around $2.4 million, from 374 addresses between June 21 and 23 through a flaw in SecondFi's own wallet-generation software. A report from Tibane Labs, a competing wallet builder, blames an unaudited third-party SDK that it says replaced EMURGO's audited signing code on June 8 and left a single signature able to leak a user's private key.

Why it matters

The breach lands at the wallet-software layer, not the Cardano protocol itself, but the failure mode is uncomfortable for the ecosystem: a dependency swap inside the build pipeline introduced unvetted code into a previously audited signing path. That is the kind of supply-chain event that pushes competing wallets to publish their dependency hashes and audit attestations, and it puts pressure on EMURGO to disclose exactly which SDK was swapped, when, and how the replacement passed code review.

Market impact

ADA has not shown a coordinated market reaction to the news, which is consistent with a wallet-vendor incident rather than a protocol-level failure. The more durable signal is reputational: a $2.4M loss across 374 users is small relative to the chain's market cap, but it concentrates damage on the SecondFi user base specifically. Watch whether EMURGO publishes the recovery contract addresses, whether the two-week timeline holds, and whether Cardano-native wallet vendors begin publishing third-party SDK attestations as a default practice.

Related tokens
$ADA
$ADA#Cardano#WalletExploit#SupplyChain

Frequently asked questions

  1. Was the Cardano protocol itself hacked in the SecondFi incident?

    No. The exploit targeted SecondFi's wallet-generation software, not the Cardano protocol. Roughly 16 million ADA, about $2.4 million, was drained from 374 user addresses between June 21 and 23.

  2. How did the SecondFi exploit actually work?

    According to a report from Tibane Labs, an unaudited third-party SDK replaced EMURGO's audited signing code on June 8 and left a single signature able to leak a user's private key.

  3. Who is EMURGO and what is SecondFi?

    EMURGO is one of the founding entities behind Cardano. SecondFi is its Cardano wallet product, and the exploit hit the wallet's own software, not the underlying chain.

  4. Will affected SecondFi users get their ADA back?

    EMURGO said Saturday it has identified a recovery path and aims to begin returning assets within roughly two weeks. The announcement did not yet name the recovery contract addresses.

  5. How much was lost in the SecondFi exploit?

    About 16 million ADA, valued at roughly $2.4 million at the time, drained from 374 addresses over a three-day window from June 21 to 23.

Source attribution
Aggregated from TheBlock · Verified · Last refreshed 1h ago
Open original →

More from Security

Stories our editors think pair well with this one.

Older in Security

Catch up on earlier coverage from this beat.