‘Cardex’ Game Exploit Drains Wallets on Ethereum Layer-2 Abstract

Cardex, a blockchain trading card game on Ethereum layer-2 network Abstract, mishandled its private keys, according to Abstract network core contributors, leading to over $470,000 worth of Ethereum being drained from wallets that interacted with it.

Cardex offered tokenized digital versions of “high-end trading cards,” like a 1st Edition Shining Charizard Pokémon card, which could then be used to compete in online tournaments. Each card has a score that is calculated by its “performance” rating and multiplied by its rarity, with these scores used to determine who would win a tournament.

The game officially launched last week, after a 24-hour card presale for early access users. Early on Tuesday, wallets that had interacted with the Abstract app started to be drained of funds. Pseudonymous Abstract core contributors Cygaar and 0xBeans figured out that the Cardex private key had been mishandled, falling into the hands of a malicious actor, confirming it on X (formerly Twitter).

With this key, the attacker was able to drain wallets that had an active “session” with the game. It appears that when playing Cardex, users were prompted to sign a transaction, referred to as a session, that would give the app full control over the wallet’s funds for a period of time—allegedly a month in this case, according to one developer who spoke with Decrypt.

“Session basically refers to a temporary authorization that allows a smart contract (or dapp) to execute transactions on behalf of the user without requiring new approvals every time,” CEO of security firm Quill Audits, Preetam Rao, told Decrypt.

Over the course of seven hours, the attacker successfully drained over 180 ETH, worth approximately $484,000, according to a Dune dashboard tracking the attacker’s wallet.

Fortunately, the exploit was isolated to only those that had interacted with Cardex so much of the network remained safe—although some users dispute this. Equally, according to Cygaar, the Cardex was updated which brought an end to the attack. Cygaar confirmed a full report of the situation will be published once all details are ironed out.

“This is a huge blow to the abstract ecosystem,” Rao told Decrypt. “Cardex still hasn’t confirmed the attack from their socials yet, which is a bad move. They should be transparent at a time like this.”

The attack has raised uncomfortable questions around which apps are promoted within the Abstract ecosystem. Some Abstract users are annoyed that they were encouraged to explore apps that have potentially put their funds at risk.

“All app contracts on the portal have been audited (anything spotlighted has a tier-1 firm auditing it),” Cygaar claimed. “The problem in this case was not contract specific, but even then we could’ve done a better job forcing them to have their [operational security] verified.”

Still, some users have pushed back on this explanation, claiming that the exploit shows that session keys on the whole aren’t a safe solution for users. Abstract was built around user-friendliness and attracting a broad consumer base thanks to streamlined features like this.

Rao said that broadly blaming session keys isn’t the answer, however, even if this particular implementation burned users.

“Generally, session keys are good to have,” Rao explained. “It just depends on how they are managed. Think of them like guest passes—you wouldn’t want to give approval to a contract again and again for a swap transaction, right? It just makes it more convenient.”

Edited by Andrew Hayward