SecondFi Patches Cardano Wallet Flaw After 16M ADA Loss

SecondFi, a decentralised finance platform built on Cardano blockchain that faced a security vulnerability yesterday, announced today, June 24, 2026, through X, that it has identified and fixed the security issue that affected certain Cardano wallet addresses. The company says the flaw was at the address level and could lead to theft only when a user signed a transaction. A patch has already been rolled out to wallets that were not compromised. Normal service is expected to resume shortly for those users.

What Happened

Four separate draining events targeted SecondFi wallets. Three of those events were carried out by outside attackers and led to losses of about 16 million ADA from 374 addresses. During the ongoing exploit, SecondFi activated emergency rescue procedures to stop further loss. As a result, around 129 million ADA were moved to an independent custodian where they are being kept safely for the benefit of affected wallets.

Why Restoring a Recovery Phrase is Not Safe

SecondFi warns that restoring your recovering phrase into another Cardano wallet will not stop the vulnerability. The risk exists at the address level and becomes active only when a transaction is signed by the affected wallet. Moving a seed phrase to a different wallet does not change the compromised address behaviour and could leave funds exposed. The X posts also warned users to avoid restoring their recovery phrase into any other Cardano wallet until SecondFi issues specific guidance.

What SecondFi has Done to Secure Funds

• Post release for unaffected wallets, allowing most users to resume normal operations soon.
• Emergency transfer of available funds to a qualified third-party custodian to protect assets while the situation is resolved.
• Engagement of an external accounting firm to perform a special audit and confirm holdings independently. Affected wallets have been isolated to prevent further exploitation.

How Users Can Reclaim Assets

SecondFi is coordinating a verification process to enable affected users to recover their assets safely. Affected users are asked to submit a claim through the SecondFi support portal at support.secondfi.io. The company says it will work with the independent custodian and the audit firm to validate claims before releasing funds.

If the wallet of the user is not listed as affected, then the user should still update to the patched version and proceed normally. However, if the wallet has been affected, then the user should not sign any transactions and should not restore their recovery phrase in another Cardano wallet.

Third Party Verification and Transparency Steps

SecondFi has brought in an independent accounting firm to audit the rescued assets and confirm the balances that are held by the third-party custodian. This independent check is intended to give users confidence that the funds are intact and to make the claims process transparent. The company also says it will publish further technical details about the root cause and the attack timeline after the immediate rescue and verification steps are complete.

Background of the Incident

On June 23, 2026, SecondFi posted on X and acknowledged the fact that some Cardano wallets had been affected by a security issue. Onchain data and security commentary suggest that the draining events likely began on June 21 or June 22, before the company’s full public explanation was posted. SecondFi later said the flaw was at the address level and that the risk appears when an affected user signs a transaction, which is why simply restoring the recovery phrase in another wallet would not be enough.

Charles Hoskinson commented that the exploit reflects the “unfortunate reality of crypto,” adding that the headline loss may seem small when compared to other hacks (such as the Kelp DAO and the Drift exploit that took place in April 2026). However, according to him, the whole situation is still devastating for users who lost all their ADA.

Also Read: Cardano Card Expands to Japan via SecondFi and Slash Partnership