Loading prices…
Zipp Zipp Advertise
Sign up Sign in
🩸BEARISH WuBlockchain

SecondFi Hack May Top $20M as Cardano Wallet Flaw Exposes ADA

SlowMist's founder reads the on-chain fund flows and lands on a higher number than the project's own preliminary estimate, and a single bad wallet generator is what opened the door.

SecondFi, a Cardano ecosystem project, has traced its recent security incident to a flaw in its proprietary Cardano wallet generation software. The team's preliminary estimate pegged the impact at around 16 million ADA.

That number is almost certainly too low. SlowMist founder Cos (Yu Xian) said on-chain analysis of the hacker's wallet activity and fund flows points to actual user losses that could theoretically exceed $20 million, spanning more than 129 million ADA plus other tokens swept from affected wallets.

Why it matters

The vector is the part that should worry other Cardano builders. A bespoke wallet generator is upstream of every address the tool produced, so a single flaw in key-derivation or entropy handling compromises the entire cohort of wallets derived from it in one shot. That is structurally different from a smart-contract bug, and it does not get smaller as the ecosystem grows.

Market impact

SecondFi is working with a blockchain security firm on an independent technical review, and on-chain analysis is ongoing to enumerate every affected address. The wider ADA market has not reacted sharply so far, but the precedent for any project distributing user-facing wallet tooling on Cardano is now clearly worse: the cost of a wallet-generator bug scales with every user it onboarded, not with the size of any one contract.

Related tokens
$ADA
#Cardano#Hack#WalletVulnerability#SlowMist

Frequently asked questions

  1. What happened in the SecondFi hack on Cardano?

    SecondFi traced its recent security incident to a flaw in its proprietary Cardano wallet generation software. The team's preliminary estimate put losses at around 16 million ADA.

  2. How much was actually lost in the SecondFi incident?

    SecondFi estimated around 16 million ADA, but SlowMist founder Cos (Yu Xian) said on-chain analysis of the hacker's wallet activity suggests actual losses could theoretically exceed $20 million across more than 129 million ADA and other tokens.

  3. Who is investigating the SecondFi exploit?

    SecondFi said it is working with a blockchain security firm on an independent technical review, while SlowMist founder Cos (Yu Xian) has been publicly tracking the hacker's on-chain fund flows.

  4. Why is a wallet generator flaw worse than a smart-contract bug?

    A bespoke wallet generator sits upstream of every address it produces, so a single flaw in key derivation or entropy handling can compromise the entire cohort of derived wallets at once, scaling with every user onboarded rather than with any one contract.

  5. Has the ADA market reacted to the SecondFi hack?

    As of the latest reporting, the wider ADA market has not reacted sharply to the revised loss estimate from SlowMist, though on-chain enumeration of affected addresses is still ongoing.

Source attribution
Aggregated from WuBlockchain · Verified · Last refreshed 7h ago
Open original →

More from Security

Stories our editors think pair well with this one.

Older in Security

Catch up on earlier coverage from this beat.