SecondFi sticks to two-week recovery plan after $2.4M Cardano wallet exploit
SecondFi says it remains on track to recover user funds after a Cardano wallet breach drained roughly 16 million ADA—about $2.4 million at the time—from 374 addresses between June 21 and June 23. The team announced engineers are pursuing multiple technical recovery paths in parallel and expects the process to fit within an estimated two-week timeline.
What to expect next
- Wallet check tool: SecondFi plans to release a checker “by early next week” so users can verify whether their wallets were affected.
- Safe withdrawal instructions: The project will publish a secure, step-by-step process to move assets once the recovery method is finalized.
- No user action yet: SecondFi warned that no recovery step requiring user action has started and urged users to leave wallets untouched until official guidance arrives. It reiterated it will never ask for private keys, seed phrases, wallet credentials, or asset transfers.
Security and scam warnings
SecondFi also flagged a rise in impersonators and fake accounts targeting users following the exploit. It advised users not to deposit more funds into existing SecondFi wallets and to rely only on official channels and support tickets to avoid phishing and fraudulent recovery offers.
What caused the breach?
SecondFi attributed the incident to its own Cardano wallet generation software and temporarily paused affected services. An external report from Tibane Labs suggested the vulnerability came after an unaudited third‑party SDK replaced EMURGO’s audited signing code on June 8. Security researcher Taylor Monahan criticized the wallet code, saying SecondFi “rolled their own crypto,” adding pressure because the product—formerly Yoroi—had long served Cardano users.
EMURGO’s response and emergency steps
EMURGO CEO Phillip Pon said the company completed a forensic review, checked wallet balances and identified what he called a “clear recovery solution.” Pon outlined a staged plan: one week to build the recovery system and another week to test it before returns begin. As an emergency precaution, SecondFi moved approximately 129 million ADA to an independent third‑party custodian to shield more assets from potential attackers.
Outstanding questions
A full technical report from EMURGO or SecondFi is still pending. Until that official analysis is released, users must rely on the project’s updates, outside assessments, and the planned wallet check tool to understand whether they were affected.
Why it matters
The incident tests SecondFi’s ability to return funds safely while explaining what went wrong. It also raises fresh concerns about Cardano wallet security at a sensitive time for the market—ADA is trading near multi‑year lows—and reinforces the risks around third‑party code and custom cryptographic implementations.
Bottom line: wait for the official wallet check and recovery instructions, avoid interacting with compromised wallets, and do not share secrets or seed phrases with anyone claiming to help.
Read more AI-generated news on: undefined/news
