Yesterday, an exploit hit Cardex, an onchain fantasy trading card game, leading to the loss of $400,000 worth of ETH from around 9,000 wallets on the Abstract network. The issue wasn't due to a flaw in Abstract's Global Wallet (AGW) but rather a major security failure on Cardex's side. Specifically, the Cardex team exposed their private key on their website's frontend, allowing an attacker to drain funds from users who had approved a session key with them.

Cardex had only gone live a week ago, and it was actively promoted on Abstract's Discover page, making the exploit even more damaging for early adopters.

What Is Abstract?

Abstract is an Ethereum Layer 2 (L2) blockchain, built by Igloo Inc., the same company behind Pudgy Penguins. It is designed to bridge the gap between blockchain tech and consumer apps, offering a scalable and seamless user experience.

Abstract uses zero-knowledge rollup, meaning transactions are processed off-chain, batched together, and then verified on the Ethereum mainnet. This allows for lower transaction fees and faster processing times, making it a popular choice for dApps like Cardex.

How the Exploit Worked

The breach was mainly due to Cardex's mishandling of session keys. Session keys in blockchain apps allow users to grant specific permissions to third-party apps, enabling actions on their behalf without exposing their private keys. In this case, Cardex inadvertently exposed the private key of their session signer on the website's frontend.

In a post mortem by Cygaar, the attacker exploited the session signer key, which was shared across all users—a major security risk that experts strongly advise against. Here's how the attack played out:

  1. The attacker identified an active session belonging to a victim.
  2. They then executed a buyShares transaction using the victim's wallet.
  3. The stolen shares were transferred to the attacker's wallet.
  4. The attacker sold the shares on Cardex's bonding curve to "effectively steal ETH from the victim."

Since the exploit targeted session keys, ERC-20 tokens and NFTs were not at risk. However, the breach has significantly damaged trust in Abstract's security protocol. 

More About buyShares and transferShares

Cardex allowed users to interact with digital trading cards on-chain, using functions like buyShares and transferShares.

  • buyShares: This function presumably allows users to purchase in-game assets, such as tokenized trading cards, by spending ETH.
  • transferShares: This function enables users to transfer ownership of their assets to another wallet for trading and selling.

In this case, the attacker misused these functions to acquire and move assets illicitly, converting them into ETH for personal gain.

Abstract's Response & Mitigation Plan

Abstract's team responded swiftly, working with Seal 911 and other security experts to contain the exploit. The following steps were taken to prevent further damage: 

  • Blocking access to Cardex to stop new sessions from being created. 
  • Deploying a revoke tool (revoke.abs.xyz) so users could revoke open session keys.
  • Upgrading the contract to revert all transactions, cutting off the attacker's ability to execute more exploits. 

Going forward, Abstract plans to tighten security measures for all apps listed on its platform, including: 

  • Stricter security audits for third-party apps. 
  • Reviewing session key implementations to prevent similar vulnerabilities. 
  • Integrating Blockaid's transaction simulation tool into Abstract Global Wallet to warn users about risky permissions. 
  • Creating a session key dashboard for users to easily manage and revoke approvals.

What About User Refunds? 

Abstract has stated that its top priority is to help Cardex remediate the situation and hopefully refund affected users. However, details on how or when this will happen are still unclear. 

What This Means for Abstract 

Even though the exploit wasn't Abstract's fault, users lost money and trust in the platform. Interestingly, the Total Value Locked (TVL) on Abstract's chain did not drop significantly despite the incident. This suggests that while trust in individual apps like Cardex has taken a hit, confidence in Abstract as a whole remains intact—for now.