⚠️ SecondFi Is Currently in Quarantine Mode
SecondFi is running in quarantine mode. It's the same application, but transactions are disabled. You can view your balance and wallet address only, you cannot send, swap, or move funds.
A screenshot is below so you know what to expect.
Please protect yourself from scams. Only download SecondFi from our official link: secondfi.io/download
Do not accept download links from anyone else, including emails, messages claiming to be from SecondFi.
Chrome extension is live, app store is pending store approval.
@emurgo_io Tất cả tài sản ada và night của tôi nằm ở ví secondFi hết và số lượng night chưa dêdn lúc claim thì làm sao. Vì lượng night của tôi rất nhiều.
SecondFi will not resume normal operations, even once the audits are complete.
Going forward, our involvement in @secondfiapp is limited to a dedicated asset recovery team, tasked solely with returning assets to affected users.
This is where our full focus and resources are directed.
@secondfiapp “This wallet address appears on our list of wallets affected by the SecondFi security incident.” 2 ví tôi đều thông báo vậy. Vậy là ada tôi đã mất đúng không, bây giờ tôi phải làm sao.
The Asset Recovery Wallet Checker is now live.
You can now verify whether your wallet was affected by the incident.
The official checker is live at checker.secondfi.io.
This is the only official checker. It is hosted on our secondfi.io domain and shared only through @secondfiapp and @secondfi_jp.
- It will NEVER ask you to sign a transaction.
- Any tool that asks you to sign is not ours and should be treated as fraudulent.
This is phase one. In phase two, the checker will show whether your wallet has been affected, alongside an air-gapped transfer option to move assets securely.
Important Security Reminder
SecondFi will NEVER request private keys, recovery phrases, or wallet credentials, and we will never DM you first.
Do not trust any checker, link, or account outside our official channels:
▪️ X accounts: @secondfiapp and @secondfi_jp
▪️ Support portal: support.secondfi.io
▪️ Asset recovery wallet checker: checker.secondfi.io
Hardware Wallet Migration Guide
We have published a step-by-step guide to help users securely move their assets to a new hardware wallet, the most secure option for self-custody.
Before you start, keep these in mind:
- If you already use a hardware wallet, no action is required. Hardware wallet users were not affected by this incident.
- Do not delete the SecondFi app, and keep your seed phrase safe. Either one will be required to claim your assets through the recovery process.
- Stop using your existing wallet. Do not send, receive, sign, or stake from it.
The full step-by-step guide, including how to test with a small amount before moving your balance, is available here: kb.secondfi.io/en/article/har…
Important Security Reminder
SecondFi will NEVER request private keys, seed phrases, wallet credentials, or request asset transfers under any circumstances. We will never DM you first.
Any message instructing you to move assets or submit wallet information outside of our verified official channels should be treated as fraudulent. Our official channels are @secondfiapp, @secondfi_jp, and support.secondfi.io.
For support, please submit a ticket only through our official support channel at: support.secondfi.io
📢 Important Guidance for SecondFi Users
We understand that many users are considering migrating to new wallets, and that trusted members of the Cardano community are suggesting ways to do so. We recognise this comes from a desire to protect your assets. If you choose to migrate, you do so at your own risk.
However, we strongly advise against taking this action at this time. Particularly if you are not technical, the safest course is to leave it untouched.
Independent actions taken outside of official guidance create additional risks, and may significantly complicate the asset claims process. Our team is working through a secure recovery process, and we will continue keeping users updated as progress is made. Official step by step instructions will follow shortly.
If you have a query, you may submit a ticket at: support.secondfi.io. We will never DM you first or ask for your recovery phrase.
Thank you for your patience.
@matin1983a@YoungwarenDir Cho tôi biết là bên bạn bảo trì trong khoảng thời gian bao nhiêu ngày, chứ chúng tôi rất lo lắng vì tài sản tôi năm hết trong ví secondFi.
@secondfiapp Minh cập nhật ví secondFi là trên iphone, và trước kia mình tạo ví yoroi trên iphone nhưng khi airdrop night thì mình có lên máy tinh đế claim.
Xong rồi mình vẫn sử dụng trên iphone
Important Security Update.
As stated, we have identified the root cause of the incident. It is at the address level.
The affected software signer used a deterministic nonce derivation flaw. Every time an address signed a transaction, it leaked enough information to mathematically reconstruct that address's private key from public blockchain data alone.
If you were affected by the attack, your first/default address (index 0) is almost certainly exposed. It is the address that some wallets may be using by default or as the only address at all, and nearly always has transactions. That history is all an attacker needs.
Please DO NOT RESTORE your recovery phrase into another Cardano wallet. This does not mitigate the security risk.
Your keys are derived from your recovery phrase, not from the app. Restoring the same phrase into another wallet recreates identical addresses with identical exposure. The compromised thing is the key of the compromised address(es), not the interface you are using.
If you were affected by the attack, and use any of your compromised address(es) to deposit it could be drained again. This includes withdrawing staking rewards even using another wallet.
Reward withdrawal and delegation are signed with the stake credential. The withdrawn funds could be routed to your first/default address (as indicated above), which has a high chance of being compromised (wallets work differently managing it). Mempool-monitoring adversaries can front-run or sweep your assets on confirmation.
There has been conflicting advice from community members in an attempt to be helpful. Do nothing until official steps come from SecondFi.
We are working to facilitate the verification process so users can claim back their assets safely. Following the above is very important, if not it makes verified claims more difficult.
The only thing you should do right now is submit a ticket at support.secondfi.io
We will never DM you first or ask for your recovery phrase.
@secondfiapp Minh cập nhật ví secondFi là trên iphone, và trước kia mình tạo ví yoroi trên iphone nhưng khi airdrop night thì mình có lên máy tinh để claim. Xong rồi mình vẫn sử dụng trên iphone
⚠️ As stated, we have identified the root cause, it is at the address level. Please DO NOT RESTORE your recovery phrase into another Cardano wallet, this does not mitigate the security risk. The security risk occurs when an affected user signs a transaction.
In addition, we are working to facilitate the verification process so users can claim back their assets safely so the above is very important, as it makes claims more difficult.
There has been conflicting advice from different community members in an attempt to be helpful. Do nothing until official steps come from SecondFi.
The only thing you should do is submit a ticket at support.secondfi.io.
We will never DM you first or ask for your recovery phrase.
@Mplum27James@secondfiapp Cảm ơn bạn, Mình không giỏi công nghệ vì lớn tuổi mà hiện giờ mình không vào ví được và không thể biết ada và night mình còn hay mất. Vậy bây giờ mình nên không làm gì để đợi khi nào ví bảo trì xong hay mình phải làm gì. Mong bạn giúp. Cảm ơn
@pisfly@TheNebulist@JustMr_Nobody@secondfiapp Tôi bây giờ không vào ví được vì thông báo đang bảo trì. Nên tôi không biết ada của mình có bị mất không. Bạn ơi tôi làm sao. Thật là lo lắng
@TheNebulist@JustMr_Nobody@secondfiapp Actually I tried to launch on Daedalus but its not passing the password creation step after entering seed keys. Not sure Daedalus is also broken.