A major security breach in the Abstract Layer 2 blockchain has led to the exposure of $400,000 worth of Ethereum (ETH) from 9,000 user wallets, according to an initial due diligence report published by Abstract.
Cardex Exploit $400,000 in Hacker Attack from 9,000 Wallets
The attack, which was detected early, was described as a “session key attack,” in which a malicious hacker gained access to user wallets that interact with Cardex, a blockchain-based game running on Abstract.
How Did the Attack Happen?
The hack was reportedly caused by a leaked key in Cardex’s front-end code, which compromised a shared session signer wallet used by all Cardex players.
The hacker attempted to:
- Effectively stealing ETH by performing transactions on behalf of users.
- Selling user assets, although ERC-20 tokens and NFTs are unaffected.
The preliminary investigation highlighted that the attack was not caused by a flaw in Abstract’s core blockchain or Global Wallet (AGW), but rather by Cardex’s poor security management in handling session keys.
Session keys are used to enhance the user experience by allowing applications to create temporary and limited access to wallets. However, improper security practices, such as exposing critical credentials, can lead to breaches like this.
The attacker gained unauthorized control over user wallets by exploiting Cardex's mismanagement of session keys.
Abstract's Response and User Advice
Abstract has taken immediate steps to reduce the risk:
- It urged users to cancel active sessions with Cardex.
- Abstract's portal has announced mandatory security audits for all projects using session keys.
- The core Abstract network has been confirmed to remain secure.
*This is not investment advice.
