SecondFi, the Cardano wallet formerly known as Yoroi, says it has patched a major exploit that drained roughly 16 million ADA, worth approximately $2.4 million, from 374 user wallets across three separate attacks.
The root cause was a flaw in SecondFi’s proprietary wallet generation software. The vulnerability sits at the address level, meaning simply moving a seed phrase to another wallet offers no protection. “The security risk occurs when an affected user signs a transaction,” the team said on X.
Before attackers could reach a further 129 million ADA, SecondFi said it triggered emergency rescue measures, routing the funds to an independent third-party custodian. An external accounting firm has been engaged to verify those holdings and affected users can submit claims to SecondFi.
Blockchain security firm SlowMist estimates total losses could exceed $20 million when accounting for the full range of compromised wallets and tokens, a figure that remains unconfirmed pending an independent audit.
Cardano founder Charles Hoskinson acknowledged the incident but noted the dollar amount was modest relative to other crypto hacks, though he stressed that offered little consolation to those affected. “It hurts them whenever they lose anything,” he said. “This is the unfortunate reality of crypto.”
ADA is currently trading around $0.15, its lowest level since 2020.
