SecondFi traces Cardano wallet exploit to address-level issue

Cardano wallet SecondFi traced the incident to an address-level issue and secured 129 million ADA after attackers drained funds from 374 addresses.

A vulnerability in Cardano-based wallet SecondFi allowed attackers to drain user funds, resulting in major losses.

SecondFi on Wednesday confirmed it had identified the root cause of the exploit and is now engaging with Cardano ecosystem platforms and blockchain investigators to address the issue.

The company also said it triggered emergency measures that secured roughly 129 million ADA, which is being transferred to an independent third-party custodian and held for affected users pending verification.

The platform on Tuesday estimated that around 16 million ADA, or $2.4 million, was affected across 374 addresses.

Cardano founder Charles Hoskinson said SecondFi is not an Input Output Global product and stressed that there is no ownership, control, or business relationship between the wallet and IOG.

SecondFi has not released a comprehensive post-mortem as of publication, but has issued multiple statements confirming a security breach caused by a vulnerability in its Cardano web wallet generation software.

It said the root cause of the incident was an issue at the address level that affects users when they sign transactions.

“SecondFi’s wallet software exposed the private keys it generated,” Mitchell Amador, CEO of security company Immunefi, told Cointelegraph.

Amador said that while the blockchain remained secure, the code that generates the keys is the “part nobody audits like a contract.” He added that attackers have increasingly shifted focus toward infrastructure that creates or stores crypto keys rather than blockchain protocols.

Related: AI models led to a ‘vulnerability apocalypse’ in crypto security: Immunefi CEO

“Recovery to another platform or wallet does not mitigate the risk,” SecondFi said, advising users not to restore their recovery phrases into new Cardano wallets. The guidance differed from recommendations by some community members, who urged users to migrate affected wallets and move funds to newly created addresses.