SecondFi Cardano wallet flaw drains $2.4M in ADA, up to $20M at risk

A private-key generation flaw in SecondFi's wallet software drained at least 16 million ADA from 178 wallets on June 23, confirmed at roughly $2.4 million. Blockchain security firm SlowMist says total losses, including other tokens, could exceed $20 million. Cardano's base protocol is not involved.

How the flaw worked

SecondFi is an EMURGO-backed self-custody platform and the successor to the Yoroi wallet. The flaw was in its proprietary Cardano web wallet-generation software. Blink Labs found that the software produced "private keys with predictable randomness," meaning any wallet generated through that version was compromised at creation, before any transaction occurred. SecondFi confirmed in a public statement: "We have isolated the root cause of the recent security incident. The issue was confined to our native Cardano web wallet generation software."

SecondFi's response

SecondFi halted services on June 23, entered maintenance mode, and created a balance snapshot to freeze holdings at the moment of detection. The platform advised users to migrate remaining assets but also warned: "The security risk affects wallet users when a transaction is signed. Therefore recovery to another platform or wallet does not mitigate the risk." An independent blockchain security firm has been engaged for review; no recovery or reimbursement timeline has been disclosed.

Loss estimates

SlowMist tracked fund flows across suspect addresses. SlowMist founder Cos put the total at over $20 million, covering up to 129 million ADA plus additional tokens. That is a projection, not a confirmed settlement amount. SecondFi's preliminary figure stands at 16 million ADA at $0.150237 per ADA — approximately $2.4 million. On-chain transaction records for the drain have not been independently published as of this writing.

Around 200 suspicious on-chain transactions were recorded on June 21–22 before the halt was announced. Security researchers flagged secondary scams targeting affected users, including impersonators posing as SecondFi support and offering fake recovery tools.