Overview
- SecondFi disclosed the vulnerability on Tuesday after an on‑chain review showed attackers drained about 16 million ADA from affected addresses and the team suspended services.
- The firm identified the technical cause as a deterministic nonce derivation error in its web wallet signing code that can leak enough data to reconstruct an address’s private key.
- Blockchain investigators and security firm SlowMist warn the true exposure could exceed $20 million and possibly involve as much as 129 million ADA because many vulnerable wallets may not yet have been drained.
- SecondFi says it took emergency steps including snapshotting and freezing balances, patching unaffected flows, routing rescued holdings to a third‑party custodian, and hiring independent auditors while asking users to file support claims.
- Users face active phishing and fake support scams, are warned not to restore affected seed phrases into other wallets, and have no firm timeline yet for full audit results or compensation.