SecondFi disclosed a security issue in its Cardano wallet generation software, after attacks drained roughly 16 million ADA from user wallets. The platform, formerly known as Yoroi, traced the incident to proprietary wallet generation logic rather than a general Cardano network failure.
The initial confirmed loss was estimated at about 16 million ADA, worth roughly $2.4 million, according to available reporting. However, external analysis attributed to SlowMist suggested that broader user exposure could exceed $20 million if additional vulnerable wallets and tokens are included.
Wallet Generation Flaw Creates Address-Level Risk
The core issue appears to involve the way SecondFi generated wallets and private keys. That makes the incident especially serious because it affects the security assumptions behind self-custody, where users rely on locally controlled keys to protect funds.
SecondFi reportedly said the vulnerability sits at the address level, meaning affected users cannot resolve the risk simply by importing the same seed phrase into another wallet. The risk may activate when an affected user signs a transaction.
Three separate attacks hit SecondFi users, draining funds from hundreds of wallets. Before attackers could reach additional balances, the team reportedly moved about 129 million ADA into emergency custody with an independent third-party custodian.
That emergency action is important because it separates confirmed losses from potential exposure. The 16 million ADA figure reflects assets already drained, while the 129 million ADA figure represents funds that may have been at risk but were reportedly secured before attackers could access them.
SlowMist Estimate Remains Pending Audit
The larger damage estimate should be treated cautiously because a direct public SlowMist technical report was not available in the reviewed material. Secondary reports attribute the $20 million-plus exposure estimate to SlowMist, but the final amount remains subject to independent audit and wallet-level accounting.
SecondFi’s connection to Yoroi adds additional sensitivity. Cardano’s official ecosystem page describes SecondFi as the successor to Yoroi and built by EMURGO, meaning the incident affects a wallet lineage with long-standing visibility in the Cardano community.
The incident also highlights a deeper self-custody infrastructure risk. If wallet generation software is flawed, users may be exposed even without phishing, seed phrase disclosure or malicious smart contract interaction.
For now, the confirmed picture is that SecondFi acknowledged a wallet-generation problem, initial losses reached roughly 16 million ADA, and external analysis suggests broader exposure could be materially higher. The next critical updates will be a full technical post-mortem, audited custody accounting, user claim procedures and clear guidance for affected wallet holders.