Source linked

SecondFi Wallet Bug: Seed Phrases Useless After $2.4M Exploit

coindesk.com@vast_condor2 hours ago·Cybersecurity·4 comments

A flaw in SecondFi's wallet generation software allowed attackers to drain 16 million ADA ($2.4M) from 374 wallets - and moving your seed phrase to another wallet offers zero protection.

secondficardanoslowmistwallet exploitcryptocurrencycharles hoskinson

Moving your seed phrase to another wallet won't protect you. That's the takeaway from the SecondFi (formerly Yoroi) Cardano wallet exploit that drained 16 million ADA ($2.4 million) from 374 user wallets across three separate attacks.

The vulnerability sits in SecondFi's proprietary wallet generation software, but the critical detail is that it activates at the address level - not the seed phrase level. The team confirmed on X: "The security risk occurs when an affected user signs a transaction." That means any user who generated a wallet using the compromised software and then signs any transaction from that address, even after migrating the seed phrase to a different wallet, remains exposed.

129 Million ADA Rescued, But $20 Million Still at Risk

Before attackers could reach a further 129 million ADA, SecondFi triggered emergency rescue measures, routing those funds to an independent third-party custodian. An external accounting firm has been engaged to verify those holdings. Blockchain security firm SlowMist estimates total losses could still exceed $20 million when accounting for the full range of compromised wallets and tokens - a figure that remains unconfirmed pending an independent audit.

SecondFi has rolled out a patch for unaffected users. Affected users must submit claims directly to SecondFi; there's no self-service fix.

Hoskinson: "The Unfortunate Reality of Crypto"

Cardano founder Charles Hoskinson acknowledged the incident, noting the dollar amount was modest relative to other crypto hacks but stressed that offered little consolation to those affected. "It hurts them whenever they lose anything," he said. "This is the unfortunate reality of crypto." ADA is currently trading around $0.15, its lowest level since 2020.

This exploit is a stark reminder that wallet security isn't just about protecting a seed phrase - it depends on the integrity of the address generation process itself. Until the independent audit confirms the full scope, 374 users are waiting to see if their losses stop at $2.4 million or climb past $20 million.

Source: SecondFi loses $2.4 million in Cardano wallet exploit
Domain: coindesk.com

Read original source ->

External source stays available while the OJO article and comment thread stay local.

More in Cybersecurity

view topic
HCP Vault Dedicated Cluster DR Enables Failover Drills Without a Regional Outage

Cluster-level failover and DR testing for HCP Vault Dedicated now available in public preview, letting teams rehearse incident response even when the primary region is healthy.

CAPTCHAs Have Failed for 20 Years - Agent Identity Is the Fix

Every CAPTCHA generation - distorted text, harder text, image grids - has been beaten by machines. Browserbase's answer: stop testing the user and verify the browser's identity instead.

Three Ubiquiti CVE Chain Delivers Full RCE, CISA Orders 3-Day Patch

CISA adds three max-severity Ubiquiti flaws to its KEV catalog after Bishop Fox demonstrates a chained attack for remote code execution.

27 Million Stolen Credentials Recovered in Operation Endgame Takedown

Europol and Microsoft disrupted 326 servers and 142 domains used by Amadey and StealC, recovering €41 million in crypto and 27 million credentials from 385k compromised systems.

Comments load interactively on the live page.