SecondFi, the Cardano wallet formerly known as Yoroi, says it has patched a major exploit that drained about 16 million ADA, worth approximately $2.4 million, from 374 user wallets across three separate attacks.
The root cause was a bug in SecondFi’s proprietary wallet generation software. The vulnerability is at the address level, meaning that simply moving a seed phrase to another wallet provides no protection. “The security risk occurs when an affected user signs a transaction,” the team at X said.
Before the attackers could reach another 129 million ADA, SecondFi said it triggered emergency rescue measures, directing the funds to an independent third-party depository. An external auditing firm has been hired to verify these holdings, and affected users can submit claims to SecondFi.
Blockchain security firm SlowMist estimates that total losses could exceed $20 million when the full range of compromised wallets and tokens is taken into account, a figure that remains unconfirmed pending an independent audit.
Cardano founder Charles Hoskinson acknowledged the incident, but noted that the dollar amount was modest compared to other crypto hacks, though he stressed that it did not provide much comfort to those affected. “It hurts them when they lose something,” he said. “This is the unfortunate reality of crypto.”
ADA is currently trading around $0.15, the lowest level since 2020.
