SecondFi's wallet key flaw on Cardano.
On June 23, an attacker drained about 16 million ADA, roughly $2.4 million, from 178 wallets on SecondFi, the successor to EMURGO's Yoroi, a wallet trusted on Cardano since 2018.
A wallet's one job is to generate a private key, the secret that alone controls your funds, where no one else can see it. SecondFi generated those keys in the browser, and that step was flawed. The keys were exposed, letting the attacker reproduce them and sign as the owner.
Hardware wallets and older seed phrases were untouched. Only keys minted by the new web flow were at risk. The ledger held, the cryptography held.
A key is only as private as the moment it is created. If the software leaks it then, every safeguard after rests on a secret the attacker already holds.
Source: https://icobench.com/news/secondfi-exploit-ada-stolen-emurgo-wallet/
Related
SciPHR