😱 Cardex’s $400K ETH Misadventure: A Tale of Misplaced Keys! 😱

by

In a most regrettable occurrence, the much-touted Ethereum Layer 2 platform, Abstract, has been compelled to recount the sorry tale of a breach that has seen the pilfering of approximately $400,000 worth of ETH from no less than 9,000 wallets, all in the name of Cardex, a so-called ‘blockchain-based game’ on its esteemed network.

It would seem that the breach was not, as one might have feared, due to any failing in Abstract’s own core infrastructure or its vaunted session key validation contracts, but rather from a most unwise decision on the part of Cardex to expose its frontend code to vulnerabilities. One can only wonder at the imprudence!

The Misfortune of the Cardex Wallets

This lamentable incident hinged upon the misuse of session keys—a feature of the Abstract Global Wallet (AGW) designed to afford users temporary, scoped permissions, intended to enhance their experience, but which, in this instance, has led to nothing but distress.

For while session keys are, in themselves, a security feature that has been well scrutinized, Cardex, in its wisdom, chose to employ a shared session signer wallet for all its users—a practice that even the least knowledgeable among us would have advised against. The exposure of the session signer’s private key to the frontend code was, one might say, the cherry atop this rather ill-baked cake, leading to the exploit that has caused such a stir.

Abstract’s subsequent investigation revealed that the miscreants in question would identify an open session, perform a buyShares transaction in the poor victim’s stead, and then, using the compromised session key, transfer the shares to themselves before selling them on the Cardex bonding curve, thereby extracting ETH as one might squeeze juice from an orange.

It is, however, a small comfort to note that only the ETH used within Cardex was thusly affected, while users’ ERC-20 tokens and NFTs remained as secure as ever, thanks to the limitations of session key permissions.

The sequence of events began at the ungodly hour of 6:07 AM EST on February 18th, when a developer, no doubt bleary-eyed from lack of sleep, posted a transaction link that indicated an address was draining funds with the enthusiasm of a thirsty camel. Within half an hour, Cardex was under suspicion, and the security teams sprang into action with all the urgency of a mother hen whose chick has strayed.

Swift measures were then taken to mitigate the disaster. Access to Cardex was blocked, a session revocation site was deployed, and the affected contract was upgraded to prevent any further transactions—actions that one can only hope will serve as a lesson to others in the future.

Abstract, ever the responsible party, has outlined several steps to prevent such an incident from recurring. Henceforth, all applications listed in its portal must undergo a stricter security review, including front-end code audits to prevent the exposure of sensitive keys. Additionally, the usage of session keys across listed apps will be reassessed to ensure proper scoping and storage practices. Documentation on session key implementation will be updated, no doubt with a stern reminder to all to mind their Ps and Qs.

The Road Ahead

In response to this breach, Abstract is integrating Blockaid’s transaction simulation tools into AGW, which will, one hopes, enlighten users as to the permissions they are granting when creating session keys. Collaborations with Privy and Blockaid are also afoot, aimed at improving session key security. A session key dashboard will also be introduced in The Portal, which is expected to provide users with a centralized interface to review and revoke their open sessions—a most welcome innovation, indeed!

Read More

2025-02-20 01:56