Cardano News

Critical Vulnerability Found in SecondFi Wallet Private Key Generation

SecondFi, the Cardano-based self-custody wallet platform formerly known as Yoroi, has identified a critical vulnerability in its wallet infrastructure that potentially exposed user seed phrases and private keys during the creation process. The protocol has paused operations and activated an emergency response following the incident.

The flaw resides specifically within SecondFi’s proprietary web-based wallet generation software. According to a security update from the project, a deterministic nonce derivation error allowed external actors to reconstruct private keys using publicly available on-chain data. The vulnerability is activated when an affected address signs a transaction, effectively making the associated seed phrases compromised.

Scope and Impact

Data regarding the total financial impact remains under review, and the exact number of affected users has not been finalized. Initial reports estimated losses of approximately 16 million ADA (roughly $2.4 million) across 374 wallets. However, secondary observations from security firm SlowMist suggested the broader impact could potentially exceed 129 million ADA, though these higher figures await official confirmation from the protocol.

Forensic investigators have traced the activity back to three distinct waves of attacks, which SecondFi attributed to two separate threat actors. The project stated it has reported these individuals to the relevant authorities. The Cardano blockchain protocol itself was not compromised; the failure point was localized to the software layer handling cryptographic operations for SecondFi.

Recovery Plan and User Guidance

SecondFi and its developer, Emurgo, have outlined a two-week restitution timeline. The first week is dedicated to building a technical recovery mechanism, followed by a week of testing and security validation before assets are returned to users. A final balance snapshot was captured on June 26 to facilitate the restitution process.

The protocol has issued specific instructions for users to manage risk during the maintenance period:

  • Do not restore seed phrases: Affected users are strongly advised not to restore compromised recovery phrases into other Cardano wallets. Because the vulnerability is linked to the key generation itself, the seed phrases are considered “burned,” and moving them to another platform will not resolve the underlying exposure.
  • Avoid independent transfers: Moving funds independently could disrupt the coordinated recovery process or introduce additional security risks.
  • Official communication: Users are urged to rely only on official support channels and ignore unsolicited messages, as malicious actors are reportedly impersonating SecondFi to conduct phishing attacks.

Operations remain paused while a full security review is conducted. SecondFi indicated that the only recommended action for users at this stage is to submit a support ticket through its official portal to assist in the verification of affected accounts.