Charles Hoskinson: SecondFi App Compromised, Cardano Protocol Unaffected

Charles Hoskinson issued a new live update on June 24, 2026, after reviewing minified TypeScript from the SecondFi application and conducting independent forensic analysis of the wallet incident. The update focused on how the attack appears to have occurred, why the case points toward SecondFi’s application code and why the available evidence does not indicate a failure in Cardano’s protocol, core nodes, open source wallet libraries or foundational cryptography.

Cardano Protocol Security Separated From SecondFi Incident

Hoskinson’s review examined whether the SecondFi incident was limited to one application or connected to a wider issue in Cardano’s cryptographic supply chain. His assessment found no indication that the open source Cardano cryptographic libraries used by most wallets in the ecosystem were compromised.

The technical review covered key derivation, signature construction, recovery word generation, HD wallet mechanics and UTXO selection. Those components were described as consistent with the open source infrastructure used across Cardano wallets before the incident.

The anomalous transactions connected to SecondFi were instead tied to the application’s closed source codebase, which had been modified from open source standards. The distinction is central to the update, Cardano’s network, nodes, protocol level cryptography and open source wallet infrastructure were separated from the suspected failure inside a specific wallet application.

SecondFi Code and Wallet Audit Standards Move Into Focus

The next stage of the case now depends on an independent audit. That process is expected to explain how the incident occurred, who was responsible and what remediation plan will be offered to affected users.

Hoskinson avoided publishing the specific technical path of the attack before further disclosure from Emurgo or the SecondFi team. The update instead placed formal verification, audit discipline and application level accountability at the center of the investigation.

The incident also reopened the broader question of wallet standards in the Cardano ecosystem. Lace and Daedalus were referenced as examples of wallet software developed around open source visibility and external review. The wider position presented in the update was that wallet code handling user funds should be open source, regularly audited and maintained with shared scrutiny when cryptographic components affect the broader ecosystem.

The concern was not only the existence of a vulnerability. The deeper issue is the modification of sensitive cryptographic code outside public review. For wallet builders, the SecondFi case now places application design, cryptographic implementation, audit history and open source transparency directly inside the security discussion.

User Safety, White Hat Claims and Remediation Plan

The update also addressed early claims that some funds may have been moved by a white hat actor rather than by the attacker. That claim still requires confirmation through the audit process or an official remediation plan, leaving fund recovery and return procedures unresolved.

Hoskinson also addressed the question of whether the 24 wallet recovery words were compromised. Based on the code he reviewed, the recovery words themselves did not appear to be compromised at that stage. The update also noted that this is difficult to verify without full access to the complete key derivation process, especially where wallets may have been generated in Yoroi and later imported into SecondFi, or generated directly inside SecondFi.

Until the audit and remediation process are complete, the SecondFi application should be treated as compromised. The safest approach described in the update is to leave keys at rest and avoid transacting through any SecondFi wallet.

The update also clarified the limits of Input Output’s role. The company has no special authority to freeze, reverse or recover funds at the protocol level. Cardano does not include intervention mechanics of that kind, aligning the network with a global cryptocurrency model in which no single company or individual controls user balances.

The investigation now turns on three concrete deliverables, an independent audit, a technical explanation from the teams responsible for SecondFi and a user remediation plan. For the wider Cardano ecosystem, the live update narrows the case to application code, closed source wallet changes and audit accountability, while keeping the protocol layer, open source wallet libraries and core cryptographic infrastructure outside the reported failure.