SecondFi Pinpoints Cardano Wallet Exploit to Root Address Flaw

SecondFi, a self-custody wallet platform built on Cardano, says it has identified the underlying cause of an exploit that led to major theft and is now coordinating with Cardano ecosystem partners and independent investigators to contain further risk.

In its latest update, the company said it activated emergency controls that helped secure about 129 million ADA, moving the funds to an independent third-party custodian. SecondFi added that the ADA will be held for affected users while verification is completed. Earlier, it estimated that roughly 16 million ADA (about $2.4 million) had been drained across 374 addresses.

Key takeaways

• SecondFi attributes the incident to a vulnerability in its Cardano web wallet generation software, describing an issue “at the address level” that impacts users when signing transactions.
• While SecondFi says emergency steps secured around 129 million ADA, it warns that restoring recovery phrases elsewhere may not remove the underlying exposure risk.
• Cardano founder Charles Hoskinson said SecondFi is not an Input Output Global (IOG) product and stressed there is no ownership or control relationship between IOG and the wallet.
• SecondFi has not published a full post-mortem yet, but it is working with investigators and ecosystem platforms to address the exploit and guide remediation.

Emergency containment and the scale of funds affected

SecondFi said the breach was discovered after attackers were able to access user funds. On Wednesday, the platform confirmed it had located the root cause of the problem and moved into response mode with ecosystem stakeholders and blockchain investigators.

As part of its containment effort, SecondFi reported triggering emergency measures that secured approximately 129 million ADA. The company said it has transferred these assets to an independent third-party custodian and will hold them for users affected by the exploit while identities and claims are verified.

On Tuesday, SecondFi had estimated the immediate impact as 16 million ADA (around $2.4 million) across 374 addresses. The gap between the earlier “estimated affected” figure and the later “secured” amount suggests that remediation and containment actions occurred quickly enough to prevent additional movement beyond the initial drains—though SecondFi has not provided a full breakdown of how the totals relate.

What SecondFi says went wrong: a key-generation flaw

SecondFi has not released a comprehensive post-mortem, but it has issued statements outlining how the incident occurred. According to the platform, the vulnerability traced back to an address-level issue within its Cardano web wallet generation software—specifically a flaw that affects users during transaction signing.

Security firm Immunefi CEO Mitchell Amador told Cointelegraph that SecondFi’s wallet software “exposed the private keys it generated.” In his view, the blockchain itself stayed secure; instead, the risky component was the code responsible for generating or handling the cryptographic keys—an area he says is often less scrutinized than the blockchain protocol.

This distinction matters for users. Unlike failures in on-chain consensus or network-level bugs, key-generation weaknesses can be exploited off-chain in ways that may not be prevented simply by switching front ends after the fact. Once private material is compromised, attackers can reuse it to sign transactions even if the underlying chain continues to operate correctly.

Guidance to users: don’t assume a recovery phrase is “safe”

SecondFi’s remediation guidance emphasized that simply moving to another wallet may not be enough. The company said that “recovery to another platform or wallet does not mitigate the risk,” advising users not to restore recovery phrases into new Cardano wallets.

The recommendation diverged from what some community members urged. On X, for example, at least one prominent community figure encouraged users to migrate affected wallets and move funds to newly created addresses. SecondFi’s different stance indicates a concern that the exposure may persist beyond the original interface—potentially because the recovery phrase itself or the key-generation process remains unsafe when reused.

For affected users, this is a critical operational difference. If the recovery phrase is compromised or if wallet software repeatedly generates keys using vulnerable logic, restoring phrases elsewhere could recreate the same weakness. Users will likely need to follow the most conservative guidance until SecondFi and security partners publish a clearer explanation of what exactly was leaked and how far the exposure extends.

Hoskinson responds: IOG has no ownership or control over SecondFi

Cardano founder Charles Hoskinson weighed in on the broader question of responsibility. In a post on X, Hoskinson said SecondFi is not an Input Output Global product and stressed there is no ownership, control, or business relationship between the wallet and IOG.

Hoskinson also said IOG’s incident response team has been in contact with SecondFi since Monday, and that SecondFi requested an independent security audit. In a Tuesday video, he further clarified that IOG is “not Emurgo” and cannot speak on Emurgo’s behalf regarding the exploit.

SecondFi has previously been associated with a transition from the Yoroi wallet. The platform is described as having rebranded from Yoroi in April 2026. Yoroi, according to Cardano.org coverage, was originally developed by Emurgo, which frames itself as the for-profit arm of Cardano and positioned Yoroi as an open-source light wallet for ADA users.

Taken together, Hoskinson’s comments underline a common ambiguity in crypto reporting after wallet incidents: users and observers often assume that any wallet built “on Cardano” inherits oversight from the broader ecosystem. SecondFi’s situation—and Hoskinson’s explicit clarification—suggests governance boundaries remain important even when products operate in the same network.

Looking ahead, the key unknown is whether SecondFi will publish a detailed post-mortem explaining which parts of the key-generation pipeline failed and what remediation steps fully eliminate the risk. Users watching this story should pay close attention to the independent audit findings and any updates from SecondFi or Cardano security partners on how to safely move holdings without reintroducing the same weakness.

This article was originally published as SecondFi Pinpoints Cardano Wallet Exploit to Root Address Flaw on Crypto Breaking News – your trusted source for crypto news, Bitcoin news, and blockchain updates.