A recent security incident involving Cardex, a blockchain-based game, has compromised approximately $400,000 worth of Ether across 9,000 user wallets.
A recent security incident involving Cardex, a blockchain-based game, has compromised approximately $400,000 worth of Ether across 9,000 user wallets. The attack, described as a "session key hack," was reported by Abstract, the layer-2 blockchain that hosts Cardex.
The exploit occurred due to a compromised session signer wallet which was shared among all Cardex users. A leaked key found within the front-end code of Cardex facilitated the unauthorized access, allowing a malicious actor to drain funds from affected wallets.
This incident did not compromise users’ ERC-20 tokens or NFTs, nor did it impact Abstract Global Wallet (AGW) or the core network.
Cygaar, a pseudonymous contributor to Abstract, detailed that the attacker was able to execute transactions on behalf of users, transferring and then selling shares to steal Ether. The issue was isolated to Cardex's mishandling of critical wallet credentials, particularly session keys, which are designed to grant temporary access to specific wallet functionalities.
Abstract has since issued warnings to its users, advising them to refrain from interacting with Cardex and to revoke any active sessions with the application to mitigate further risks.
The team emphasized that the incident was not a systemic failure of the Abstract platform but rather a specific vulnerability within Cardex's management practices.
In response to the breach, all projects utilizing session keys within the Abstract portal are expected to undergo auditing to enhance security measures. Abstract is operated by Igloo Inc., which is also known for its association with the Pudgy Penguins brand.
The company continues investigating the breach while implementing measures to protect user assets from future threats.
This article contains links to third-party websites or other content for information purposes only (“Third-Party Sites”). The Third-Party Sites are not under the control of CoinMarketCap, and CoinMarketCap is not responsible for the content of any Third-Party Site, including without limitation any link contained in a Third-Party Site, or any changes or updates to a Third-Party Site. CoinMarketCap is providing these links to you only as a convenience, and the inclusion of any link does not imply endorsement, approval or recommendation by CoinMarketCap of the site or any association with its operators.
This article is intended to be used and must be used for informational purposes only. It is important to do your own research and analysis before making any material decisions related to any of the products or services described. This article is not intended as, and shall not be construed as, financial advice.
The views and opinions expressed in this article are the author’s [company’s] own and do not necessarily reflect those of CoinMarketCap.
