SecondFi, the Cardano wallet formerly known as Yoroi, claims to have fixed a major exploit that drained approximately 16 million ADA, worth approximately $2.4 million, from 374 user wallets in three separate attacks.
The root cause was a flaw in SecondFi’s proprietary wallet generation software. The vulnerability is at the address level, meaning that simply moving a seed phrase to another wallet offers no protection. “The security risk arises when an affected user signs a transaction,” the team said on X.
Before the attackers could reach another 129 million ADA, SecondFi said it triggered emergency rescue measures, routing the funds to an independent third-party custodian. An external accounting firm has been hired to verify these holdings and affected users can submit complaints to SecondFi.
Blockchain security firm SlowMist estimates that total losses could exceed $20 million when taking into account all compromised wallets and tokens, a figure that remains unconfirmed pending an independent audit.
Cardano founder Charles Hoskinson acknowledged the incident but noted that the dollar amount was small compared to other crypto hacks, although he stressed that this offered little consolation to those affected. “It hurts them every time they lose something,” he said. “This is the sad reality of crypto.”
ADA is currently trading around $0.15, its lowest level since 2020.
