Overview
- SecondFi says forensic work is complete and confirmed a deterministic nonce derivation flaw in its wallet signing code that let attackers reconstruct private keys from on‑chain signatures.
- Attackers drained about 16 million ADA from 374 addresses in three waves between June 21 and June 23, and investigators traced the activity to two distinct threat actors who were reported to authorities.
- As an emergency measure SecondFi moved roughly 129 million ADA to an independent third‑party custodian to protect funds while engineers build and test recovery options.
- SecondFi plans to publish a wallet‑checker tool and return affected assets on a timeline it estimates at about two weeks, and it warns users not to restore compromised seed phrases or share private keys because scammers are targeting victims.
- Outside analysts have raised concerns that an unaudited third‑party SDK may have replaced audited signing code, prompting wider questions about prelaunch audits and secure wallet development across the Cardano ecosystem.