Cardex exploit compromised $400,000 worth of ether across 9,000 wallets: Abstract

Layer 2 chain Abstract released an initial post-mortem on a security incident affecting thousands of wallets that interacted with Cardex, a blockchain-based game operating on the network.

The incident, which came to light on Tuesday, was described as a “session key hack,” in which a malicious actor gained access to wallets that had interacted with Cardex and drained funds.

Abstract's pseudonymous contributor Cygaar noted in the report that the exploit involved a compromised session signer wallet shared by all Cardex users, facilitated by a leaked key in Cardex’s frontend code.

The incident compromised $400,000 in users' funds, affecting 9,000 wallets, according to Abstract.

This means the attacker could make transactions on behalf of the users — transferring and then selling shares to steal ETH. The exploit did not pose a risk to users’ ERC20s and NFTs.

The post-mortem clarified that the issue was not a widespread problem with the Abstract Global Wallet (AGW) or the core network itself but rather an isolated incident caused by Cardex mishandling critical wallet credentials, such as session keys.

AGW uses session keys to allow apps to create limited and scoped sessions for improved user experience. These keys delegate access to specific wallet functionalities to third parties. Session keys must be carefully managed to prevent permissions from being granted to malicious entities.

The attack exploited vulnerabilities in Cardex's management of session keys, which are used to grant applications temporary access to wallet functions.

The Abstract team had previously urged users to avoid interacting with Cardex and to revoke any active sessions with the app to mitigate further risk. All projects using session keys in the Abstract portal are expected to undergo auditing.

Abstract is a consumer-focused Layer 2 blockchain developed by Igloo Inc., the parent company behind Pudgy Penguins.