Thursday, July 2, 2026

SecondFi Pauses Operations After Cardano Wallet Key Flaw

Hyperreal Cardano wallet UI with glowing shield guarding seed phrases amid neon-lit digital backdrop.

SecondFi, the Cardano self-custody wallet platform formerly known as Yoroi, has paused affected functions after identifying a critical flaw in its native Cardano web wallet generation software. The team says the issue has been contained, while recovery work and security reviews continue.

The vulnerability sits at the address and private-key level, not in the Cardano protocol itself. SecondFi’s technical update says the affected software signer used a deterministic nonce derivation flaw that leaked enough information during transaction signing for attackers to reconstruct private keys from public blockchain data.

Exploit Drained 16M ADA as Wider Exposure Was Contained

SecondFi confirmed four distinct draining events, three of them attributed to external threat actors. Those attacks compromised about 16 million ADA across 374 addresses, representing roughly $2.4 million in losses.

The team also triggered emergency rescue measures for about 129 million ADA during the active exploit. Those assets were routed to an independent qualified third-party custodian for the benefit of affected wallet addresses, with an external accounting firm engaged to verify the holdings.

That distinction is important because confirmed losses and protected exposure are separate figures. The 16 million ADA figure reflects assets drained by attackers, while the 129 million ADA figure represents funds SecondFi says were secured before broader losses materialized.

External blockchain analysis has placed the potential exposure above $20 million when additional wallets, NFTs and other tokens are included. That larger figure remains dependent on forensic review and final accounting rather than a completed reimbursement tally.

Recovery Process Depends on Snapshot and Security Review

SecondFi completed a final balance snapshot on June 26, 2026, giving the team a verified record to support recovery planning. The platform estimated that asset returns could begin in roughly two weeks, with about one week for a working solution and another week for testing and review.

The team has warned affected users not to restore recovery phrases into another Cardano wallet or independently move assets. Because the same recovery phrase can recreate the same exposed addresses, moving the phrase to another interface does not remove the address-level risk.

SecondFi also flagged fraudulent messages impersonating project support during the recovery process. The team said it will never request private keys, seed phrases, wallet credentials or direct wallet access, and no user recovery action requiring private information has begun.

The platform will remain under restricted operation until security reviews and recovery procedures are complete. The next critical updates will be audited custody accounting, step-by-step claim instructions, final user impact figures and a full technical post-mortem explaining how the wallet generation flaw reached production.

Scroll to Top
Chain Report
Privacy Overview

This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.