SecondFi wallet vulnerability drains $2.4M in Cardano assets from 178 users

SecondFi, the Cardano wallet formerly known as Yoroi, disclosed a security vulnerability on June 23 that allowed attackers to siphon roughly 16 million ADA from 178 user wallets. At current prices, that’s approximately $2.4 million gone, along with an undisclosed number of tokens and NFTs that were also swept from compromised accounts.

The flaw was traced to SecondFi’s web wallet generation software, which is the part of the system responsible for creating new wallets and their associated private keys.

What happened and what SecondFi is doing about it

SecondFi immediately suspended its services and entered maintenance mode after discovering the vulnerability. The company also conducted a snapshot of user balances, essentially freezing a record of what everyone held at the moment the breach was identified.

SecondFi says it has engaged a leading blockchain security firm to perform an independent review of the exploit. The company is also coordinating with several major players in the Cardano ecosystem, including Input Output Global (IOG), the Cardano Foundation, IntersectMBO, and SundaeSwap, to manage the fallout and support affected users.