Cardano's SecondFi Saga: A Flawed Wallet Generator Walks Away With Up To $20M 🧩

A vulnerability in SecondFi's proprietary wallet generation software exposed Cardano users to losses that could top $20 million, according to blockchain security firm SlowMist. The project disclosed the breach on June 23, tracing the entry point to a flaw that compromised the private keys used to create wallets through its service, allowing attackers unauthorized access to user accounts and funds. Cardano's base protocol was not the entry point, the SecondFi team said, and the project has since suspended service and entered maintenance while an independent review proceeds.

Estimates of the damage vary. SecondFi's internal assessment places losses at roughly 16 million ADA, worth about $2.4 million at the time, across approximately 178 affected wallets. SlowMist founder Yu Xian, known by the handle Cos, placed the upper bound above $20 million, citing on-chain analysis of attacker-linked addresses that moved more than 129 million ADA alongside non-ADA tokens. ADA traded at $0.150237 on June 24, down 3.00% over the prior 24 hours, putting the upper ADA-only figure at roughly $19.4 million. SecondFi warned that recovery to another platform or wallet does not mitigate the risk, because the threat activates when affected users sign transactions with compromised addresses.

SecondFi completed an on-chain analysis to map the scope of affected addresses and has isolated the impacted wallets, taking a full balance snapshot during containment. The project said it is now working with an independent blockchain security firm on a technical review, noting in a public post that "the security risk affects wallet users when a transaction is signed." The incident mirrors a recent pattern of infrastructure-layer attacks in 2026, including the Humanity Protocol private key breach and the Syscoin bridge exploit, where tooling built above the base chain introduced the vulnerability rather than the underlying protocol itself.

Community reaction to the disclosure has been sharply critical. One user openly challenged the team's guidance, stating, "Millions were lost. People's life savings vanished," while others claimed that "nobody trusts anything being posted" and that disabling comments "says more than any statement ever could." Cardano founder Charles Hoskinson responded to the SecondFi incident, noting that while the losses may appear small relative to other crypto exploits, they offer no comfort to those affected, and stressed that some users may have lost their entire ADA holdings, describing it as an unfortunate reality of the industry. The breach surfaced one day after Cardano launched the Leios Musashi Dojo testnet, as ADA continues to trade near five-year lows amid a proposed rescue plan that holders have met with skepticism.