Key facts
- SecondFi expects to begin returning assets to users affected by a security breach in approximately two weeks.
- The exploit impacted around 16 million ADA, valued at $2.4 million at the time, across 374 addresses.
Cardano wallet SecondFi expects to begin returning assets to users affected by a recent exploit in approximately two weeks, following forensic investigations and security reviews. The company is building and testing a recovery solution designed around existing wallet states.
The incident highlights ongoing security risks in the cryptocurrency space and the challenges faced by users and developers in recovering assets after a major exploit. SecondFi's recovery timeline and warnings against scams are crucial for affected users navigating the process.
Cardano wallet SecondFi has outlined a recovery plan for users impacted by a security breach earlier this week, aiming to begin asset returns in approximately two weeks. Phillip Pon, CEO of Emurgo, SecondFi's developer, stated that forensic investigations are complete and a recovery pathway has been established. The upcoming week will focus on building the recovery solution, followed by a week of testing before assets can be returned to users.
SecondFi disclosed the security incident on Tuesday, which affected around 16 million ADA, valued at approximately $2.4 million at the time, across 374 addresses. The company identified the cause as an address-level issue within its Cardano web wallet generation software that exposed users' private keys. In response, SecondFi secured approximately 129 million ADA through emergency measures and transferred these funds to a third-party custodian pending verification and recovery.
Pon advised users to avoid migrating assets or taking actions outside of official guidance, as the recovery process is designed around existing wallet states and external actions could complicate fund return. SecondFi also issued a warning about ongoing recovery-related scams, cautioning users against fraudulent messages and emphasizing that no user participation is required for recovery at this stage. The company stressed it will never ask for private keys, seed phrases, or direct wallet access.