The Cryptocurrency Post The CryptocurrencyPost
AboutContact
Cardano News

SecondFi Discloses Cardano Wallet Flaw with Potential $20M Exposure

Photorealistic wallet hologram with ADA symbol, broken keys, and a locked vault, signaling risk and migration.

SecondFi, a Cardano ecosystem wallet provider formerly known as Yoroi, has identified a critical vulnerability in its native web-based wallet generation software. The project confirmed that the flaw directly impacts how private keys were created, exposing a significant portion of its user base to potential theft.

While verified losses currently stand at approximately 16 million ADA—valued at roughly $2.4 million—security analysts suggest the scope of the risk is substantially larger. Blockchain security firm SlowMist projected that total exposure could exceed $20 million, potentially affecting up to 129 million ADA tokens across 178 confirmed wallets. According to on-chain reports, the discrepancy between confirmed theft and total exposure suggests that many compromised keys remain vulnerable but have not yet been drained.

Root Cause and Mechanism of Failure

The incident stems from a defect in the software responsible for generating new wallets and handling private keys. This mechanical failure allowed attackers to either recreate or access private keys tied to specific accounts created through the SecondFi web interface. Unlike external protocol exploits or smart contract bugs, this flaw exists at the foundation of the user’s security: the initial key generation process.

SecondFi has suspended its web services and placed the platform into a “secure maintenance mode.” The team stated they have taken a snapshot of user balances to assist in potential compensation efforts, though specific details regarding reimbursement remain unconfirmed. The project is reportedly collaborating with an independent security firm, as well as ecosystem entities including IOG and the Cardano Foundation, to mitigate further damage.

Ongoing Risks and User Recommendations

The vulnerability specifically affects users who generated wallets through the SecondFi web-based system. The project has issued an urgent advisory for all users to migrate their assets to newly generated wallets immediately. However, the migration itself carries secondary risks; fraudulent actors have begun impersonating SecondFi representatives, distributing counterfeit “recovery tools” designed to harvest credentials from affected users.

The available evidence indicates that while 178 wallets are confirmed as compromised, the underlying software flaw likely applies to a broader set of addresses. Security researchers emphasize that the “at-risk” figure represents tokens sitting in wallets where the private keys may already be in the possession of the exploiter.

Current Infrastructure Status

  • Platform Status: Web services are currently offline for maintenance.
  • Confirmed Losses: Approximately 16 million ADA ($2.4M).
  • Projected Risk: Up to 129 million ADA ($20M+).
  • Official Action: Users are advised to move funds to new wallets and avoid any third-party links or recovery tools provided via social media.

The exact timeframe for a full technical audit and the finalization of a recovery plan has not yet been disclosed. The platform continues to urge impacted users to report their wallet addresses and transaction hashes through official support channels to assist in the ongoing investigation.