White hat rescues $18.5M after SecondFi Cardano wallet exploit

An unidentified white hat rescued roughly $18.5 million in Cardano assets after a private-key flaw in SecondFi’s wallet generation software exposed 374 users to a coordinated drain of more than 16 million ADA, according to reports from CryptoNews and Blockonomi.

SecondFi, formerly Yoroi, is the leading Cardano browser wallet, not a fringe application. The exploit ran across four attack events from June 21 to June 23 and stemmed from a cryptographic deterministic nonce-derivation error in SecondFi’s proprietary wallet generation software, according to CoinDesk.

The flaw exposed private keys on-chain at the address level when users signed transactions. That means affected users cannot protect themselves by moving a seed phrase. Their path is to submit claims directly to SecondFi.

SecondFi’s initial disclosure put confirmed losses at about $2.4 million, while SlowMist’s independent review put total at-risk funds above $20 million, according to Crypto Briefing.

The white hat routed the rescued funds to a third-party custodian, but the actor’s identity remains unknown. It is also still unresolved whether all rescued funds will be returned to users.

SecondFi said it pre-empted attackers to rescue 129 million ADA and announced on June 27 that it would return user funds within two weeks. The team has not yet explained how the wallet-generation flaw passed audit or reached users.

For affected users, the practical point is narrow: there is no self-help fix. Claims must go through SecondFi’s process, and the return timeline now depends on the team’s stated two-week plan.