Cardano’s wallet hack exposed the user layer holding its on-chain government together | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #hacker


EMURGO said it is stepping down from its role in Pentad, the five-member group coordinating Cardano’s infrastructure funding, to focus resources on recovering funds lost in the SecondFi exploit.

The attack exploited a flaw in SecondFi’s wallet address-generation system, draining roughly $2.4 million in ADA from 374 wallets.

A wallet-layer product failed, and EMURGO, one of Cardano’s founding entities, stepped back from an infrastructure coordination role as recovery work began. Cardano’s governance system, which grew during its Voltaire era, adds a second layer to the story because the product failure sits inside the same wallet environment where ordinary ADA holders delegate and vote.

Yoroi’s help documentation says users can delegate voting power to Yoroi’s own DRep, delegate to a different DRep, abstain, or select no confidence, all from inside the wallet. The same documentation ties reward withdrawal to completing one of those governance actions and routes direct voting through a GovTool connection.

Cardano governance starts at the wallet
A flowchart shows Cardano governance starting at the wallet, branching into DRep delegation, abstaining, no confidence, or direct GovTool voting.

Where Cardano’s governance starts

Cardano Docs describes CIP-1694 governance as a structure that combines ADA owners, delegated representatives, stake pool operators, and a constitutional committee, with participation beginning the moment a holder picks a governance-compatible wallet. That starting point makes wallet security a governance dependency for ADA holders using wallet-based delegation and voting flows.

CardanoCube’s live governance hub recorded 28 active governance actions, 379 active DReps, and 3,217 votes cast over 30 days, with 87.52 billion ADA in voting power exercised during the same window.

A compromised wallet inside that system matters because it sits in the same user flow that now carries live treasury votes and DRep delegation.

Pentad brought together Input Output, the Cardano Foundation, EMURGO, Intersect, and the Midnight Foundation to coordinate infrastructure spending across the network.

Intersect said the Cardano community approved a 70 million ADA Critical Integrations Budget in late 2025 to close gaps in stablecoins, institutional custody, cross-chain bridges, pricing oracles, and analytics.

The Cardano Foundation’s May 2026 update requested 23 million ADA in Critical Integrations V2 funding for Year 2 support covering Circle USDCx, LayerZero, Pyth, Dune, and native Fireblocks integration, routing the request through Pentad with the Foundation, Input Output, EMURGO, and Midnight as co-sponsors and Intersect as administrator.

EMURGO’s exit lands inside that active funding cycle, pulling one of the entities steering treasury-backed infrastructure away from the table just as a second funding round moves through the process.

Bitquery’s on-chain investigation traced the failure to weak randomness in SecondFi’s key-generation code, with the Cardano chain processing every transaction as designed.

The firm also reconstructed a broader swept-funds picture above 129 million ADA. That figure should be treated separately from the confirmed loss of roughly 16 million ADA, as it reflects Bitquery’s broader forensic accounting rather than the amount publicly tied to affected users.

The confirmed loss amounts to about 42,800 ADA per affected wallet, a meaningful sum for the people who held it. Compared with CardanoCube’s 87.52 billion ADA in cumulative voting power recorded across 30-day governance activity, the loss is small by voting-scale comparison, at roughly 0.018%, though that denominator reflects voting activity across governance actions rather than total ADA supply.

CryptoSlate Daily Brief

Daily signals, zero noise.

Market-moving headlines and context delivered every morning in one tight read.

MetricFigureWhat it shows
Confirmed exploit loss~16M ADADirect custody damage
Affected wallets374Concentrated user impact
Average loss per affected wallet~42,800 ADAMeaningful individual exposure
30-day governance voting power87.52B ADAGovernance scale remains much larger
Loss as share of 30-day voting power~0.018%Small by voting weight, large by trust impact
Critical Integrations fund70M ADAExploit equals ~23% of this budget
Critical Integrations V2 request23M ADAExploit equals ~70% of this request

Signal to watchBull pathBear path
Active DRepsHolds near current level or growsDeclines as users disengage
Inactive DRepsStays stable or fallsRises as participation fades
30-day vote countHolds near or above 3,217Falls below recent levels
Voting power exercisedRemains broad and activeConcentrates among large holders and professional DReps
No-confidence / abstain behaviorStays levelSpikes as trust weakens
Wallet recovery and migrationClear, completed, low-frictionDelays, confusion, or phishing copycats
Pentad infrastructure workRemaining members absorb coordinationFunding work slows or becomes more contentious