SecondFi, the Cardano-based wallet platform, says it has wrapped up its forensic investigation into a June 23 exploit and is preparing to return assets to affected users within roughly two weeks. The breach drained approximately 16 million ADA, worth about $2.4 million, from 374 wallet addresses.
That $2.4 million figure, while painful, could have been far worse. The total potential exposure from the incident, including NFTs and various tokens held across compromised wallets, is estimated to exceed $20 million pending an ongoing audit.
What actually went wrong
The Cardano blockchain itself wasn’t compromised. The vulnerability lived entirely within SecondFi’s proprietary web wallet generation software, specifically in how it derived nonces during the transaction signing process.
A deterministic nonce derivation error in SecondFi’s software signer meant that once an affected address signed a transaction, attackers could reconstruct the private key using nothing more than publicly available on-chain data. No phishing emails, no social engineering, no malware. Just math.










