Ethereum Layer 2 platform, Abstract, has released an initial post-mortem on a security incident that resulted in the compromise of approximately $400,000 worth of ETH across 9,000 wallets interacting with Cardex, a blockchain-based game on its network.
The report clarified that the breach stemmed from vulnerabilities in Cardex’s frontend code rather than an issue with Abstract’s core infrastructure or session key validation contracts.
Cardex Wallet Compromise
The incident revolved around the misuse of session keys, a mechanism in the Abstract Global Wallet (AGW) that allows for temporary, scoped permissions to improve user experience.
While session keys themselves are a well-audited security feature, Cardex made a critical error by using a shared session signer wallet for all users, a practice that is not recommended. This flaw was further amplified by the exposure of the session signer’s private key to Cardex’s frontend code, which ultimately led to the exploit.
According to Abstract’s root cause analysis, attackers identified an open session from a victim, initiated a buyShares transaction on their behalf, and then used the compromised session key to transfer the shares to themselves before selling them on the Cardex bonding curve to extract ETH.
Importantly, only the ETH used within Cardex was affected. Meanwhile, users’ ERC-20 tokens and NFTs remained secure due to session key permissions limitations.
The timeline of events indicates that the first signs of suspicious activity were flagged at 6:07 AM EST on February 18th when a developer posted a transaction link showing an address draining funds. In less than 30 minutes, Cardex was suspected as the source of the exploit, and security teams quickly mobilized to investigate.
Within hours, mitigation steps were taken. This included blocking access to Cardex, deploying a session revocation site, as well as upgrading the affected contract to prevent further transactions.
Abstract has outlined several measures to prevent future incidents of this nature. Going forward, all applications listed in its portal must undergo a stricter security review, including front-end code audits to prevent the exposure of sensitive keys. Additionally, session key usage across listed apps will be reassessed to ensure proper scoping and storage practices. Documentation on session key implementation will be updated to reinforce best practices.
What’s Ahead
In response to this breach, Abstract is also integrating Blockaid’s transaction simulation tools into AGW, which will help users to see what permissions they are granting when creating session keys. Further collaborations with Privy and Blockaid are underway to improve session key security.
A session key dashboard will also be introduced in The Portal, which is expected to give users a centralized interface to review and revoke their open sessions.
Binance Free $600 (CryptoPotato Exclusive): Use this link to register a new account and receive $600 exclusive welcome offer on Binance (full details).
LIMITED OFFER for CryptoPotato readers at Bybit: Use this link to register and open a $500 FREE position on any coin!