CoinDesk
SecondFi, the Cardano wallet formerly known as Yoroi, was hit by three separate attacks that drained roughly 16 million ADA, worth about $2.4 million, from 374 user wallets through a flaw in the platform's proprietary wallet generation software. A patch has already been rolled out for unaffected users.
The vulnerability activates at the address level when a transaction is signed, which means affected users cannot protect themselves by moving their seed phrase to another wallet. They must instead submit claims directly to SecondFi. Before attackers could reach a further 129 million ADA held by impacted users, the team triggered emergency rescue measures and routed the funds to an independent third-party custodian. An external accounting firm has been engaged to verify those holdings.
Blockchain security firm SlowMist has estimated that total losses could still exceed $20 million once the full range of compromised wallets and tokens is counted, a figure that remains unconfirmed pending an independent audit.
Why it matters
The mechanism is the headline. Address-level key generation flaws are a particularly hostile class of bug because the standard recovery move in self-custody, sweeping a seed phrase to a fresh wallet, does not neutralize the exposure. Every signature from a compromised key remains an open door. SecondFi's claim workflow is therefore the only path off-ramp for affected users, which puts the burden of restitution on a small team still working through its own incident response.
Cardano founder Charles Hoskinson acknowledged the incident publicly and noted that the dollar figure was modest relative to other crypto hacks, while stressing that offered little consolation to those hit. "It hurts them whenever they lose anything. This is the unfortunate reality of crypto," he said.
Market impact
ADA is currently trading around $0.15, its lowest level since 2020. The exploit lands on top of a multi-year downtrend for the token and adds reputational pressure on Cardano-native wallet infrastructure at a moment when network activity has already been thin.
Frequently asked questions
-
How much was drained in the SecondFi Cardano wallet exploit?
SecondFi confirmed three attacks drained roughly 16 million ADA, worth about $2.4 million, from 374 user wallets.
-
Why can't users protect themselves by moving their seed phrase?
The vulnerability sits at the address level and activates when a transaction is signed, so transferring a seed phrase to another wallet does not neutralize the exposure. Affected users must submit claims directly to SecondFi.
-
How much ADA did SecondFi rescue before attackers could reach it?
The team triggered emergency rescue measures and routed a further 129 million ADA to an independent third-party custodian. An external accounting firm has been engaged to verify those holdings.
-
What is SlowMist's wider loss estimate?
Blockchain security firm SlowMist estimates total losses could exceed $20 million once the full range of compromised wallets and tokens is counted, a figure that remains unconfirmed pending an independent audit.
-
How has ADA reacted to the exploit?
ADA is trading around $0.15, its lowest level since 2020, with the exploit adding reputational pressure on Cardano-native wallet infrastructure on top of an existing multi-year downtrend.
WuBlockchain
WatcherGuru
TheBlock
Crypto Capital Venture
CryptoSlate
Lookonchain
Crypto News