Particle.news
Download on the App Store

SecondFi Signing Bug Exposes Private Keys and Drains 16 Million ADA

Attackers could rebuild private keys from on‑chain data, prompting SecondFi to route 129 million ADA to custody while investigators audit the code.

Overview

  • A coordinated exploit that ran June 21–23 targeted wallets generated by SecondFi’s web flow and led to roughly 16 million ADA being stolen from hundreds of addresses.
  • SecondFi says the root cause was a deterministic nonce derivation flaw in its signer that allowed attackers to reconstruct private keys from transaction data on the blockchain.
  • The company suspended services, snapped user balances, routed about 129 million ADA to an independent custodian, and hired external security firms to conduct independent audits.
  • Affected users have been told not to restore recovery phrases into other wallets because compromised addresses remain unsafe and scammers are impersonating support channels.
  • Cardano leaders say the protocol itself was not breached, but the incident raises trust and market questions for Cardano and leaves reimbursement timelines dependent on forensic and audit results.