Charles Hoskinson, founder of Cardano and CEO of Input Output, said in a June 24 livestream that the SecondFi incident was not a hack of the Cardano network, its protocol, its core nodes, or its open-source cryptographic infrastructure. After reviewing disassembled minified TypeScript from SecondFi and conducting his own forensic work, Hoskinson said the anomalous transactions appeared tied to SecondFi’s closed-source application code rather than to Cardano’s underlying cryptography.
Hoskinson: Cardano Wasn’t Hacked in SecondFi Case
Hoskinson said he spent time reviewing SecondFi’s minified TypeScript and attempting to reproduce the incident independently. His stated objective was to determine whether the issue was isolated to SecondFi or whether it indicated a broader supply-chain problem affecting Cardano cryptographic components used across the ecosystem.
“I wanted to see if this was an issue contained only in SecondFi or if it’s an issue somewhere in the supply chain of Cardano’s cryptography,” Hoskinson said. “And I do not believe that any of the Cardano cryptographic libraries that are open source and used by the overwhelming majority of wallets in the ecosystem are compromised in any way.” He added that key derivation, signature construction, seed phrase generation, HD wallet mechanics, UTXO selection, and other open-source wallet components “appear to be as they were prior to any issues.”
Hoskinson pushed back sharply against claims that the Cardano network itself had been hacked. “Let me be clear. There is no problem with the Cardano protocol, the core nodes, the core cryptography, or any of the open source wallets,” he said. “This is a problem to a specific application, to a specific company, and it has nothing at all to do with the day-to-day operations of Cardano.” He further stated that users not affiliated with the affected company or codebase should not treat the event as a network-wide threat.
SecondFi Code, Not Cardano Protocol, Draws Scrutiny
The focus of Hoskinson’s remarks was SecondFi’s application-level implementation. He said the anomalous transactions “seem to be connected to their closed source code that has been modified from the open source standards,” while adding that an independent audit would be needed to explain how that occurred, who was responsible, and what remediation should follow.
Hoskinson also used the incident to argue for open-source wallet development and recurring independent audits, especially when cryptographic code is involved. “Wallet code should always be open source and subject to independent audits on a regular basis,” he said. “Furthermore, that cryptographic code that is of the concern of the ecosystem as whole should never be built by a sole vendor, it should be built by a federation of entities who consume it and regularly maintained and examined.” In his view, the SecondFi case reflected a breakdown in best practices rather than a failure of Cardano’s base layer.
For affected users, Hoskinson said he could not provide a remedy from Input Output and emphasized that Cardano does not include mechanisms to freeze or reverse funds. “We have no special powers or authorities to intervene or do things here. We have no oversight of the protocol that would allow the freezing or reversing of funds, and this is by design because Cardano is a real cryptocurrency,” he said. He advised that, until remediation is completed, the SecondFi application should be treated as compromised and users should avoid transacting with SecondFi wallets.
Hoskinson said he expects independent audits and a remedy plan to provide fuller answers about the SecondFi incident, including the role of any reported white-hat activity and how affected users may be made whole. His central message was that the event should be understood as an application-specific failure involving SecondFi code, not a compromise of Cardano’s protocol or open-source wallet infrastructure.
AI Transparency Note: This article was prepared with the assistance of an AI system based on the sources listed and was reviewed, edited, and approved by a human editor before publication. All quotes, data points, and factual claims are intended to be grounded in the cited source material; however, errors cannot be ruled out entirely.