Woofun AI reports that SecondFi, a self-custodial wallet operating on the Cardano blockchain, confirmed on Wednesday that a severe vulnerability in its address generation software allowed attackers to drain user funds. The platform identified the root cause as an address-level issue that compromised private keys during the transaction signing process, leading to significant financial losses for its user base. In response to the breach, SecondFi activated emergency protocols to secure approximately 129 million ADA, which is currently being transferred to an independent third-party custodian to safeguard assets for verified victims. Earlier on Tuesday, the company estimated that roughly 16 million ADA, equivalent to $2.4 million, had been compromised across 374 distinct addresses, marking a substantial security incident for the ecosystem.

The deeper driver of this incident lies in the specific nature of the software flaw rather than a breach of the underlying blockchain protocol. Mitchell Amador, CEO of the security firm Immunefi, explained that SecondFi's wallet software inadvertently exposed the private keys it generated, creating a direct pathway for unauthorized access. Amador noted that while the Cardano blockchain itself remained secure, the code responsible for generating these keys represents a critical infrastructure layer that often lacks the rigorous auditing applied to smart contracts. He observed that threat actors have increasingly shifted their focus toward exploiting the infrastructure that creates or stores cryptographic keys, bypassing traditional protocol-level defenses entirely.

Notably, SecondFi issued specific guidance that contradicts common community advice regarding fund recovery. The platform explicitly warned users against restoring their recovery phrases into new Cardano wallets, stating that such actions do not mitigate the risk of further compromise. This directive stands in sharp contrast to recommendations from various community members who urged users to migrate affected wallets and move funds to newly created addresses immediately. The company's stance suggests that the vulnerability may persist across different wallet instances if the compromised seed phrases are reused, necessitating a more cautious approach to asset preservation.

Per Woofun AI, the organizational context of SecondFi has become a focal point of confusion and clarification following the attack. Charles Hoskinson, the founder of Cardano, publicly stated that SecondFi is not a product of Input Output Global (IOG) and emphasized that no ownership, control, or business relationship exists between the wallet and his organization. Hoskinson clarified that IOG's incident response team has been in contact with SecondFi since Monday, during which the platform requested an independent security audit to investigate the breach thoroughly. He further stressed in a video posted on X on Tuesday that IOG is distinct from Emurgo, the entity that originally developed the Yoroi wallet, which SecondFi rebranded from in April 2024.

Structurally, the separation between these entities is critical for understanding liability and future security measures. Emurgo describes itself as the "for-profit arm of Cardano" and launched Yoroi as the first open-source light wallet for the blockchain before the rebranding occurred. Hoskinson reiterated that IOG has no influence over Emurgo and cannot speak on its behalf regarding the exploit, stating clearly that they did not write the code and are not connected to it. This distinction underscores the decentralized nature of the ecosystem where third-party developers operate independently, bearing sole responsibility for their software's security posture.

As of publication, SecondFi has not released a comprehensive post-mortem report detailing the full technical scope of the vulnerability.

However, the company has issued multiple statements confirming that the security breach was caused by a flaw in its Cardano web wallet generation software. The incident highlights a growing trend where attackers target the peripheral infrastructure of crypto ecosystems rather than the core protocols themselves. This marks a significant shift in the threat landscape, requiring wallet providers to prioritize the security of key generation mechanisms with the same intensity as smart contract audits.