EMURGO officially ceases support for SecondFi following the Cardano wallet's private key vulnerability
EMURGO, one of the three founding entities of Cardano, has confirmed that its rebranded Yoroi wallet product will not be functioning normally again following the private key attack that resulted in the loss of approximately 16 million ADA.
7/8/20264 min read


The Keys That Were Never Really Secret
An independent on-chain investigation by blockchain intelligence firm Bitquery, reconstructing each transaction from which data was stolen, traced the breach back to the weak randomness in SecondFi's key generation code and highlighted that the Cardano protocol itself processed transactions exactly as designed. The exact mechanism remains controversial; forensic reports from Tibane Labs describe it as an Ed25519 signing error, while others suggest it was a nonce generation error, but researchers have all come to the same conclusion: the keys SecondFi generated were never truly secret.
The most damaging aspect of this vulnerability is its scope: because the private key generation error is structural rather than installation-specific, every wallet created through SecondFi's affected web interface carries a key that can be inferred regardless of user behavior. Phishing, password theft, and social engineering play no role in this exploit. An attacker only needs public data on the chain to recreate the private key for affected wallets, creating a passive attack surface that accumulates as users create new wallets on the platform. This characteristic makes the "do not restore your seed phrase to a new wallet" warning crucial, as the compromised key data is transmitted along with the seed phrase and not resides within the specific wallet interface.
SecondFi confirmed three external attacks that withdrew 16 million ADA from 374 wallets. Before the attackers could access a further 129 million ADA, SecondFi activated emergency rescue measures, transferring the funds to an independent third party. An external accounting firm was hired to verify the holdings. The success of the rescue operation in protecting 129 million ADA while losing 16 million shows that SecondFi detected the ongoing withdrawals before all vulnerable wallets were emptied, but holding rescue funds indefinitely now defines a recovery issue for EMURGO, as those assets require an auditable on-chain recovery infrastructure before they can be safely returned to their owners.
Unaudited source code in a production environment
Tibane Labs attributed the vulnerability to an unaudited third-party digital signature library that replaced EMURGO's previously audited source code just before the vulnerability was exploited — and independent security researcher Taylor Monahan described SecondFi as "their own proprietary encryption," describing the software as closed-source and unaudited. Both viewed the incident not as an unfortunate error but as a failure of governance and process: a Cardano founding entity had put unaudited source code into a production environment without independent review that could have detected the vulnerability.
The distinction between "unfortunate errors" and "governance failures" carries significant legal and community implications: unfortunate errors fall into a more sympathetic category, where developers made reasonable efforts but still produced flawed results, while governance failures imply that established processes—source code auditing, security testing, deployment authorization—were bypassed or neglected in ways that independent review could have prevented. The description that EMURGO introduced unaudited source code to replace previously audited infrastructure suggests a process regression, where security standards were degraded rather than accumulated over time.
Delays in recovery progress and indefinite waiting times.
When EMURGO first outlined its recovery roadmap in late June, they aimed to return assets within approximately two weeks. That deadline was not met, and EMURGO stated that an independent audit of the recovery system was necessary before they could return the funds; speed remained a priority, but security was paramount because threat actors were aware of the vulnerability.
The failure to achieve the recovery estimate within two weeks reveals a pattern frequently exhibited by cryptocurrency security incidents: the complexity of designing auditable on-chain recovery systems for wallets with inferable private keys—where returning funds to the original address could result in recovered assets falling into the hands of the same attacker who withdrew the funds from the wallet—significantly exceeds initial planned estimates. Users whose assets were rescued into third-party custody accounts face an indefinite waiting period, the end point of which depends on the completion of the security audit and EMURGO's ability to design a recovery mechanism that the attacker cannot exploit during the repayment process.
EMURGO also warned about scammers using fake recovery accounts and fake support links targeting users in distress, establishing a secondary harm vector often associated with major security incidents: attackers monitor public communication channels and exploit victims' desperation by impersonating them. The clear guidance to verify only through SecondFi's official channels reflects the bitter experience with impersonation scams that have exacerbated damage in similar situations throughout the history of the cryptocurrency ecosystem.
Assessment and Conclusion
The permanent closure of SecondFi marks the most serious failure in Cardano's e-wallet infrastructure history, exacerbated by the fact that this failure originated from a founding organization rather than an independent third-party developer whose security practices users could easily overlook. The governance failure to replace audited infrastructure with unaudited source code has established a minimum expectation that users, regulators, and institutional partners should have for e-wallet products claiming to be backed by institutions: continuous independent security assessments of all source code changes being produced, not just initial audits of the original source code.
For the broader Cardano ecosystem, EMURGO's permanent closure of SecondFi instead of attempting a recovery sent a clear signal that the security breach was deemed irreparable from a trust perspective—a conclusion that will shape how competing e-wallet developers communicate their own security practices and how Cardano community members evaluate e-wallet product claims in the absence of the independent verification infrastructure that the ecosystem currently lacks on a large scale.
Disclaimer: The information presented in this article is the author's personal opinion in the field of cryptocurrencies. This is not financial or investment advice at all. Every investment decision should be based on careful consideration of your personal portfolio and risk tolerance. The opinion in the article does not represent the official position of the platform. We recommend that readers do their own research and consult experts before making any investment decisions.
Synthesized and analyzed by HCCVenture
Follow HCCVenture organization here: https://link3.to/holdcoincventure
Explore HCCVenture group
HCCVenture © 2023. All rights reserved.


Connect with us
Popular content
Contact to us
E-mail : sp_contact@hccventure.com
Register : https://linktr.ee/holdcoincventure
Disclaimer: The information on this website is for informational purposes only and should not be considered investment advice. We are not responsible for any risks or losses arising from investment decisions based on the content here.


TERMS AND CONDITIONS • CUSTOMER PROTECTION POLICY
ANALYTICAL AND NEWS CONTENT IS COMPILED AND PROVIDED BY EXPERTS IN THE FIELD OF DIGITAL FINANCE AND BLOCKCHAIN BELONGING TO HCCVENTURE ORGANIZATION, INCLUDING OWNERSHIP OF THE CONTENT.
RESPONSIBLE FOR MANAGING ALL CONTENT AND ANALYSIS: HCCVENTURE FOUNDER - TRUONG MINH HUY
Read warnings about scams and phishing emails — REPORT A PROBLEM WITH OUR SITE.
