Cardano founder Charles Hoskinson says the blockchain was not hacked. The SecondFi wallet breach stems from modified closed-source code, he says.
The headline wrote itself: Cardano got hacked. Except it did not. Charles Hoskinson said as much on June 24, broadcasting from Colorado in what he described as a late-night session picking apart code he should not have had to pick apart.
SecondFi, the wallet formerly known as Yoroi, reported a security incident tied to its native web wallet generation software. Reports circulating earlier this week put losses at roughly 16 million ADA, with NFTs and other tokens also taken from somewhere around 178 self-custody wallets. Exact figures have not been independently verified. The wallet generation flaw exposed private keys at the point of wallet creation, per reporting at the time.
Hoskinson had a different thing on his mind. The question he wanted answered was not the scope of the loss. He wanted to know if anything inside Cardano’s own cryptographic layer had been touched.
Cardano Is Not the Problem Here
His answer, after disassembling SecondFi’s minified TypeScript: no. The open-source cryptographic libraries used by the overwhelming majority of Cardano wallets, he said on YouTube, appear to be exactly as they were before any of this happened. Key derivation, HD wallet logic, UTXO selection — none of it, per his review, looks touched.
What looks different is the closed-source code. Hoskinson said the anomalous transactions appear connected to SecondFi’s proprietary layer, specifically code that had been modified from the open-source standard Cardano maintains. That distinction, he kept returning to it.
As Cardanians on X noted June 23, this was not a Cardano blockchain compromise. The account wrote that the root cause sat in SecondFi’s native web wallet generation software, not the chain. Per Hoskinson, that framing is accurate.
What the Disassembled Code Actually Showed
He said he was able to replicate how the attack occurred. He will not say how. Independent audits come first, he explained, and Emurgo needs to lead that disclosure. His read is that the 24-word seed phrases used by affected users may not themselves be compromised. The things derived from those keywords after the fact, that is a different story.
The open-source infrastructure Cardano has spent years building was built for exactly this kind of pressure. Hoskinson’s position, as stated before this incident and apparently confirmed by it: cryptographic code that affects the broader ecosystem should be built by a federation of entities, not a single vendor. He said that plainly.
Input Output has no authority to freeze funds or reverse transactions. Hoskinson was direct about that. Cardano was designed as a real cryptocurrency, and no single actor holds those intervention powers. That, he said, is by design.
White Hat Activity and What Comes Next
Some funds that moved after the incident may not have been moved by the attacker at all. Hoskinson said he had heard reports of white hat activity, with some assets reportedly recovered through that route. He said he looks forward to understanding more about how those funds will be returned.
His advice for anyone holding a wallet that touched SecondFi’s system: leave the keys at rest. Do not transact. He called the entire application compromised until an independent audit says otherwise and a formal remediation process runs.
The crypto media coverage, he said, was exactly what he expected. He called it, in his words, AI slop journalist low integrity trash. Then he moved on to the technical part. SecondFi has been placed in maintenance mode. The independent review is still pending.
Leave a Reply
You must be logged in to post a comment.