Hi, this is Charles Hoskinson broadcasting live from warm, sunny Colorado. Always warm, always sunny, sometimes Colorado. Today is June 24th, 2026. I'm a little tired; I've been up very late. I spent some time disassembling the minified TypeScript of Second Fi and doing some independent forensics and analysis. I think I've been able to replicate what happened and how the attack occurred. It's left more questions than answers, and as I said in the prior video, we're going to await an independent audit to better understand the nature of these issues.
With blockchain forensics, I've also tried to understand independently how many addresses are impacted. The reason I did this is that I wanted to see if this was an issue contained only in Second Fi or if it's an issue somewhere in the supply chain of Cardano's cryptography. I do not believe that any of the Cardano cryptographic libraries that are open source and used by the overwhelming majority of wallets in the ecosystem are compromised in any way. Obviously, when these things occur, it's prudent to quadruple-check and get some independent audits to verify things.
Key derivation, signature construction, the fundamental cryptographic libraries, how your keywords are generated, how HD wallets work, UTXO selection—all these things in the open-source wallets in the Cardano ecosystem that are using the open-source infrastructure appear to be as they were prior to any issues. The anomalous transactions associated with Second Fi seem to be connected to their closed-source code that has been modified from the open-source standards. An independent audit will explain how that happened, who's responsible, and, of course, part of the remedy for these issues.
More broadly, it's always been my position, and you see it with Lace, Daedalus, and other products we've worked on, that wallet code should always be open source and subject to independent audits on a regular basis. Furthermore, the cryptographic code that is of concern to the ecosystem as a whole should never be built by a sole vendor; it should be built by a federation of entities who consume it and are regularly maintained and examined. This prevents many bad things from happening. A lot of best practices seem to have been violated in this situation, and it's a teachable moment for those who want to build a wallet or financial infrastructure to do so rigorously.
I've seen some disturbing things in the crypto media, and unfortunately, it's predictable. Crypto media is saying things like Cardano has been hacked, the Cardano ecosystem is failing, and all of the ADA is compromised—the usual AI slop, journalist low-integrity trash. Let me be clear: there is no problem with the Cardano protocol, the core nodes, the core cryptography, or any of the open-source wallets. This is a problem specific to an application and a specific company, and it has nothing at all to do with the day-to-day operations of Cardano. For those not associated or affiliated with this specific company and this specific codebase, your funds are fine. There's no cryptographic issue; there's no contagion spreading. This is not a protocol-level issue.
To the crypto media, I understand you're by default going to be dishonest, but it is what it is. Just go [expletive] yourself. Honestly speaking, it's exhausting. It's so tiring. You don't have to lie about everything. Cardano is not broken. Cardano, the network, was not hacked. This is an application. If somebody writes buggy software and installs it on Windows, you don't say Microsoft was hacked and Windows is hacked. The protocol is fine. The cryptography is fine.
From our part at IO, we're going to continue doing what we can across the ecosystem to promote good standards and best practices. As independent audits come out, because we've been assured and promised they will, then I'll read through and comment on them. I won't discuss the nature of the particular attack that I was able to reproduce from the disassembled code until more disclosures come from their side. We'll leave it to Emurgo to discuss that. However, it has left more questions than answers, and only an independent audit can answer those questions of how they got here and what happened.
I have heard that some white hat has done something, and some of the funds that have been moved were not moved by an attacker but purportedly by a white hat. I look forward to understanding more about that and how those funds will be returned to the users. I do not believe that this attack compromises the 24 keywords from the code I've been able to see. Those keywords could be used similarly to a BIP 161 style approach as part of the redemption process. The things derived thereafter are problematic, but the keywords themselves do not, at the moment, appear to be compromised. However, it's hard to independently verify that, and it depends on whether they were generated with Yoroi and then brought into Second Fi or generated strictly within Second Fi. It's hard to say. I don't have full access and haven't been able to look through all those mechanics of key derivation.
For the moment, until proven otherwise, the Second Fi application should be considered compromised. It needs to be brought back to life through an audit and remediation. All components of it should not be trusted by default. The safest thing to do right now is, more likely than not, to just leave the keys at rest and not transact with any Second Fi wallet. That's my view. I cannot offer any remedy on the Input Output side. We have no special powers or authorities to intervene or do things here. We have no oversight of the protocol that would allow the freezing or reversing of funds, and this is by design because Cardano is a real cryptocurrency, just like Bitcoin, and it doesn't have these intervention mechanics because it's a global system, and no person should have them. That cannot be done, and it won't be done. It's up to the particular vendor to make things right with their software and explain how we got here.
In general, this does not spread to other wallets that follow best practices, are subject to third-party audits, commit to open source, and do not modify cryptographic code. The code that has been written and is out in the open has been meticulously crafted over years of painstaking effort and is subject to multiple audits and consumed by many different wallets. It makes no sense, and it should never be the case that such code be modified unless there is extreme scrutiny and done in public. I would advise people to please use wallets that can prove that.
I just wanted to make a statement and ensure there is absolute clarity with everybody here about this. It is what it is. We look forward to independent verification of things and explanations of how we got here. We look forward to understanding the remedy plan that's going to be proposed and broadcasted. Thanks, everyone.
30:22
8:30
12:28