Last updated:
Journalist
Hassan Shittu
Journalist
Hassan Shittu
Share
Why Trust Cryptonews
Abstract has released a post-mortem following a security breach involving Cardex, a third-party app within The Portal. The breach affected approximately 9,000 wallets and led to the theft of around $400,000 in Ethereum.
The incident, detected early Tuesday morning, was not caused by a vulnerability in the Abstract Global Wallet (AGW) or the Abstract network itself but rather an isolated security failure by Cardex.
The breach was traced to the exposure of a private key on Cardex’s front end which allowed an attacker to access users’ wallets who had approved session keys with the app.
Despite the severity of the incident, Abstract’s security team, Seal 911, and the Cardex team acted swiftly to neutralize the exploit and prevent further unauthorized access to user funds.
Unpacking the Abstract Exploit: What Went Wrong?
The security breach stemmed from a critical flaw in Cardex’s session key management system.
During the initial audit process required for listing on The Portal, the Cardex team inadvertently exposed the private key to their session signer on the frontend of their website.
This key was embedded within the frontend code, making it easily accessible to anyone who inspected the public source files.
The session signer, designed to facilitate seamless interactions between users and Cardex’s smart contracts, was shared across all users, creating a single point of failure.
This meant that anyone with access to the session signer’s private key could impersonate any user with an active session.
The exploit allowed the attacker to perform various actions, including buying, transferring, and selling shares through compromised sessions, ultimately draining users’ Ethereum.
These transactions were executed without additional user confirmation, leveraging the approved session keys to bypass standard security checks.
According to 0xCygaar, an Abstract engineer who also analyzed the incident, the root cause was the shared session signer and its exposed private key on Cardex’s front end.
The design flaw of using a shared session signer meant that once the private key was exposed, every active session was compromised, allowing the attacker to operate across multiple accounts simultaneously.
Notably, the attack did not compromise users’ ERC20 tokens or NFTs. The session keys were strictly scoped to Cardex’s smart contracts, limiting the exploit’s impact on the Cardex platform.
This containment was due to the smart contract architecture, which isolated session keys from users’ main wallets, ensuring that only the actions within Cardex were affected.
Abstract’s Security Response and Future Measures
Abstract responded swiftly by collaborating with Seal 911, security researchers, and the Cardex team to contain the exploit.
Within hours, the team identified the exposed session signer key, suspended Cardex on The Portal, and deployed a revocation tool (revoke.abs.xyz) to help affected users revoke open session keys.
By 9:35 AM EST, the compromised contract was upgraded to revert all transactions, effectively preventing further exploitation.
In the aftermath, Abstract is implementing stricter security measures. All projects listed on the Portal will undergo more comprehensive audits, covering contract code and front-end security practices.
Additionally, Abstract will enforce individualized session signers per user and encrypted key storage, addressing the root causes of this breach.
To further safeguard users, Abstract plans to integrate Blockaid’s transaction simulation tooling into the Abstract Global Wallet, allowing users to understand permissions better when creating session keys.
A session key dashboard will also be introduced, giving users enhanced visibility and control over their active sessions.
