Security Breach Hits Cardex: $400,000 Worth of ETH Stolen
Recently, Cardex, an onchain fantasy trading card game, fell victim to an exploit that resulted in the loss of $400,000 worth of ETH from around 9,000 wallets on the Abstract network. The security breach was not due to a flaw in Abstract’s Global Wallet (AGW) but rather a significant security failure on Cardex’s end. The Cardex team inadvertently exposed their private key on the website’s frontend, allowing an attacker to drain funds from users who had approved a session key with them.
Impact of the Exploit on Early Adopters
Cardex had only launched a week prior to the exploit and was actively promoted on Abstract’s Discover page. This made the exploit even more damaging for early adopters who trusted the platform.
Understanding Abstract
Abstract is an Ethereum Layer 2 (L2) blockchain created by Igloo Inc., the same company behind Pudgy Penguins. It aims to bridge the gap between blockchain technology and consumer applications, offering a scalable and seamless user experience.
Using zero-knowledge rollup technology, Abstract processes transactions off-chain, batches them together, and then verifies them on the Ethereum mainnet. This results in lower transaction fees and faster processing times, making it a preferred choice for dApps like Cardex.
Exploit Details
The breach at Cardex was primarily due to mishandling of session keys. Session keys in blockchain applications allow users to grant specific permissions to third-party apps without exposing their private keys. In this case, Cardex exposed the private key of their session signer on the website’s frontend, giving the attacker access to users’ funds.
- Identifying an active session belonging to a victim.
- Executing a buyShares transaction using the victim’s wallet.
- Transferring stolen shares to the attacker’s wallet.
- Selling the shares on Cardex’s bonding curve to steal ETH from the victim.
Functions Exploited by the Attacker
Cardex allowed users to interact with digital trading cards on-chain through functions like buyShares and transferShares.
- buyShares: Enables users to purchase tokenized trading cards by spending ETH.
- transferShares: Allows users to transfer ownership of assets for trading and selling.
Abstract’s Response and Future Plans
Abstract’s team acted swiftly to contain the exploit, working with security experts like Seal 911. They took several steps to prevent further damage, including blocking access to Cardex, deploying a revoke tool for users to revoke open session keys, and upgrading the contract to halt the attacker’s actions.
For the future, Abstract plans to enhance security measures for all apps on its platform by conducting stricter security audits, reviewing session key implementations, integrating Blockaid’s transaction simulation tool, and creating a session key dashboard for users.
User Refunds and Impact on Abstract
Abstract’s top priority is to assist Cardex in remedying the situation and potentially refunding affected users. However, details on the refund process remain unclear. Despite the exploit, trust in Abstract as a whole has not significantly diminished, indicating continued confidence in the platform.
