Ethereum Layer 2 platform, Abstract, has released an initial post-mortem on a security incident that resulted in the compromise of approximately $400,000 worth of ETH across 9,000 wallets interacting with Cardex, a blockchain-based game on its network.

The report clarified that the breach stemmed from vulnerabilities in Cardexs frontend code rather than an issue with Abstracts core infrastructure or session key validation contracts.

Cardex Wallet Compromise

The incident revolved around the misuse of session keys, a mechanism in the Abstract Global Wallet (AGW) that allows for temporary, scoped permissions to improve user experience.

While session keys themselves are a well-audited security feature, Cardex made a critical error by using a shared session signer wallet for all users, a practice that is not recommended. This flaw was further amplified by the exposure of the session signers private key to Cardexs frontend code, which ultimately led to the exploit.

According to Abstracts root cause analysis, attackers identified an open session from a victim, initiated a buyShares transaction on their behalf, and then used the compromised session key to transfer the shares to themselves before selling them on the Cardex bonding curve to extract ETH.

Importantly, only the ETH used within Cardex was affected. Meanwhile, users ERC-20 tokens and NFTs remained secure due to session key permissions limitations.

The timeline of events indicates that the first signs of suspicious activity were flagged at 6:07 AM EST on February 18th when a developer posted a transaction link showing an address draining funds. In less than 30 minutes, Cardex was suspected as the source of the exploit, and security teams quickly mobilized to investigate.

Within hours, mitigation steps were taken. This included blocking access to Cardex, deploying a session revocation site, as well as upgrading the affected contract to prevent further transactions.

Abstract has outlined several measures to prevent future incidents of this nature. Going forward, all applications listed in its portal must undergo a stricter security review, including front-end code audits to prevent the exposure of sensitive keys. Additionally, session key usage across listed apps will be reassessed to ensure proper scoping and storage practices. Documentation on session key implementation will be updated to reinforce best practices.

Whats Ahead

In response to this breach, Abstract is also integrating Blockaids transaction simulation tools into AGW, which will help users to see what permissions they are granting when creating session keys. Further collaborations with Privy and Blockaid are underway to improve session key security.

A session key dashboard will also be introduced in The Portal, which is expected to give users a centralized interface to review and revoke their open sessions.