SecondFi Exploit Exposes Private Keys as ADA Wallet Flaw Puts Millions at Risk

Key Takeaways:

• According to SecondFi, the flaw involved a deterministic nonce that enabled them to build a private key from the blockchain data of the affected wallet.
• The first wallet address in use among those affected is thought to be a super-exposed wallet.
• The team warned users not to restore seed phrases or move assets until official recovery steps are released.

User Score

8.7

    Follow us on Google NewsSecondFi has shared new information on its recent security breach, revealing that the attack was not as much a corrupt wallet application breach as the cryptographic signing issue. The disclosure has given the most transparent explanation to date of how the compromised Cardano wallets could be breached.

Read More: SecondFi Exploit Sparks $20M Loss Fears Across ADA

Table of Contents

• SecondFi Identifies the Root Cause
• Restoring Seed Phrases Does Not Solve the Problem
  • Staking Rewards May Also Be Vulnerable
  • Recovery Process Remains Under Development
  • Security Concerns Expand Beyond Wallet Applications

SecondFi Identifies the Root Cause

The team states that the flaw had appeared in the concerned signing software because of a deterministic nonce derivation bug.

Each time a vulnerable address signed a transaction, it was possible to mathematically reconstruct the private key, using public blockchain information.

From the company, it was indicated that the problem is at the address level. This means that transferring funds from one wallet app to another or entering them into a different wallet won’t eliminate risk.

According to SecondFi, the most common wallet address, which is known as the first address or index 0, is the most vulnerable as it is typically where users have their transactions stored.

## Restoring Seed Phrases Does Not Solve the Problem

The project has repeatedly issued the warning that users should not enter their recovery phrase into another wallet. If you know the wallet address you lost your seed phrase, just recreating that seed phrase will give you the exact same compromised addresses.

SecondFi explained that the funds of users could still be lost if they switch funds from addresses that are compromised.

Staking Rewards May Also Be Vulnerable

The team also stated that turning down staking rewards may cause further security risks.

Withdrawals here use stake credentials which can possibly already be compromised. Sometimes the money taken off staking would be automatically redeployed to the default address, that hackers might already have control over.

SecondFi said that competitors who keep track of the mempool could be able to front-run transactions and raid assets as soon as they are confirmed on the blockchain.

Read More: $5.87M Ethereum Exploit Hits TrustedVolumes as 1inch Denies Any Protocol Breach

Recovery Process Remains Under Development

Since the exploit went public, there has been some conflicting information flying around the Cardano community, the company wrote. Some users recommended moving wallets immediately, others suggested funding the other applications on Cardano.

The only official instructions are to make a support request via the project’s support portal, and wait for instructions to recover. The team stated that acting independently may make it more difficult in the future to verify assets and to seek reimbursement.

Security Concerns Expand Beyond Wallet Applications

The latest disclosure suggests the incident may become one of the most serious wallet-level security failures within the Cardano ecosystem.

Earlier estimates linked the attack to millions of dollars in ADA and other tokens. Security researchers previously suggested total exposure could exceed $20 million if additional compromised addresses are included. So far, no vulnerability has been identified within Cardano’s base protocol itself.