$470K Ethereum Drained as Cardex Faces Security Failure

Mishandling of Private Keys Leads to Exploit

Cardex, a blockchain-based trading card game, faced a significant security breach after mishandling its private keys. Abstract network contributors confirmed that over $470,000 worth of Ethereum was drained from wallets that interacted with the app. This issue stemmed from a private key falling into the hands of a malicious actor.

Cardex allowed players to collect and use tokenized digital trading cards in online tournaments. These cards, modeled after real-world collectibles like the 1st Edition Shining Charizard Pokémon card, were assigned scores based on performance and rarity. Players competed in tournaments, with these scores determining the winners.

The game had just launched after a 24-hour presale for early access users. However, shortly after, wallets connected to the app started losing funds.

Source: X

The issue arose from how the game managed user sessions. Players were prompted to sign a transaction that granted the app control over their wallets for a set period, reportedly a month. This session system allowed the attacker to drain wallets that had active authorizations.

Preetam Rao, CEO of security firm Quill Audits, explained that session keys act as temporary authorizations. They allow apps to execute transactions on behalf of users without needing repeated approvals. While convenient, improper management of these keys can lead to vulnerabilities, as seen in this case.

The attacker managed to drain over 180 ETH, valued at approximately $484,000, over seven hours. The exploit was limited to wallets that interacted with Cardex, which helped contain the damage. The app was updated to end the attack, and a full report is expected once all details are finalized.

The breach raised concerns about the lack of communication from Cardex. Abstract core contributors like Cygaar have acknowledged the mishap and promised transparency through a detailed report. However, the absence of an immediate acknowledgment on official Cardex channels frustrated users.

Security experts emphasized the importance of transparency in building user trust. Preetam Rao criticized Cardex’s delayed response, stating that openness during crises is critical for maintaining credibility.

Source: X

The exploit also sparked debates about the use of session keys in crypto apps. Abstract aimed to simplify user experience, but this incident highlighted potential risks. Some users questioned whether session keys are safe for broader adoption.

Rao defended session keys, stating they are beneficial when managed correctly. He likened them to guest passes, providing convenience for recurring transactions. However, he noted that proper operational security practices are necessary to prevent misuse.

Lessons for Abstract and Cardex

The attack has led to uncomfortable questions about the security of apps promoted within the Abstract ecosystem. Users voiced frustration that they were encouraged to engage with apps that jeopardized their funds.

Cygaar admitted that more rigorous security checks should have been enforced for apps like Cardex. While the issue wasn’t contract-specific, operational security practices should have been more robust.

The breach serves as a cautionary tale for blockchain-based platforms. Ensuring security while maintaining convenience is a complex balance. For Cardex and Abstract, restoring user trust will require accountability, transparency, and stronger operational practices moving forward.