The Abstract Layer 2 network has released a preliminary report on a hack that affected 9,000 wallets interacting with the blockchain game Cardex, which runs on the platform. As a result of the attack, the perpetrator stole $400K.
How Cardex Was Attacked
According to the report, the attacker exploited a vulnerability in the session key mechanism — a system that allows applications to temporarily manage users’ wallets. The issue arose from a key leak in Cardex’s frontend code, which enabled the hacker to sign transactions on behalf of users.
The attacker used a compromised session signer wallet that was shared among all Cardex users. This allowed him to withdraw funds by selling tokens for ETH. However, according to Abstract, ERC-20 tokens and NFTs were not affected.
The Fault Lies with Cardex, Not Abstract
Abstract emphasized that the vulnerability was not related to the network itself or the Abstract Global Wallet (AGW) but was due to improper access key management in Cardex.
Session keys are intended for limited delegation of rights to applications, but if misconfigured, they can become a vulnerability. In the case of Cardex, the attacker gained full access to users’ wallets, leading to the funds being leaked.
The developers at Abstract have urged users not to interact with Cardex and to revoke all active sessions. Additionally, all projects using session keys within the Abstract ecosystem must now undergo a security audit.
Read Also:
- zkLend Team Tries to Recover Stolen $5 Million, Remains Silent on Deposit Security
- BNB Chain Security in Question — Four.Meme Hacked, $183K Stolen
- Xeggex Exchange Freezes Accounts After Hacker Attack: Is Customer Funds at Risk?
This post is for informational purposes only and is not an ad or investment advice. Please do your own research making any decisions.