SecondFi fixes a Cardano wallet flaw that led to the theft of 16 million ADA

SecondFi, a decentralized finance platform built on the Cardano blockchain that encountered a security vulnerability yesterday, announced today, June 24, 2026, through X, that it has identified and fixed the security issue that affected certain Cardano wallet addresses. The company says the flaw was at the address level and could lead to theft only when a user signs a transaction. The patch has already been rolled out to wallets that were not hacked. It is expected that normal service will be resumed soon for these users.

What happened

Four separate drain events targeted SecondFi wallets. Three of these events were carried out by external attackers and resulted in losses of approximately 16 million ADA from 374 addresses. During the ongoing exploit, SecondFi activated emergency rescue procedures to stop further losses. As a result, approximately 129 million ADA were transferred to an independent custodian where they are safely held for the benefit of the affected wallets.

Why recovery phrase recovery is unsafe

SecondFi warns that restoring your recovery phrase to another Cardano wallet will not stop the vulnerability. The risk exists at the address level and only becomes active when the transaction is signed by the affected wallet. Moving a seed phrase to a different wallet does not change the behavior of the compromised address and can leave funds exposed. X’s posts also warned users to avoid restoring their recovery phrase to any other Cardano wallet until SecondFi issues specific guidelines.

What SecondFi did to secure funds

• Post-release for unaffected wallets, allowing most users to resume normal operations soon.
• Emergency transfer of available funds to a qualified third party to protect assets while the situation is resolved.
• Hire an outside accounting firm to conduct a special audit and independently confirm the property. Affected wallets have been quarantined to prevent further exploitation.

How users can recover assets

SecondFi coordinates the verification process to enable affected users to safely recover their assets. Affected users are asked to file a claim through the SecondFi Support Portal at support. Secondfi.io. The company says it will work with an independent custodian and auditing firm to verify the claims before releasing the funds.

If the user’s wallet is not listed as affected, the user should update to the patched version and continue normally. However, if the wallet is affected, the user should not sign any transactions and should not retrieve their recovery phrase in another Cardano wallet.

Third-party verification and transparency steps

SecondFi brought in an independent accounting firm to audit the rescued assets and verify the balances held by the third-party custodian. This independent check is intended to give users confidence that funds are in order and to make the claims process transparent. The company also says it will publish more technical details about the root cause and timeline of the attack after immediate rescue and verification steps are completed.

Background of the accident

On June 23, 2026, SecondFi posted on X and acknowledged the fact that some Cardano wallets had been affected by a security issue. Onchain data and security comments indicate that the attrition events likely began on June 21 or 22, before the company’s full public explanation was published. SecondFi later said that the flaw was at the address level and that the risk appears when the affected user signs a transaction, which is why restoring the recovery phrase in another wallet would not be sufficient.

Charles Hoskinson commented: The exploit reflects the “unfortunate reality of cryptocurrencies,” adding that the major loss may seem small compared to other hacks (e.g. Seaweed dao and Drift exploitation Which happened in April 2026). However, according to him, the whole situation is still devastating for users who have lost all their ADA.

Read also: Cardano expands to Japan via SecondFi and Slash partnership