QUADRIGA INITIATIVE
CRYPTO WATCHDOG & FRAUD RECOVERY PLATFORM
A COMMUNITY-BASED, NOT-FOR-PROFIT
$400 000 USD
FEBRUARY 2025
GLOBAL
CARDEX
DESCRIPTION OF EVENTS
"Cardex offered tokenized digital versions of “high-end trading cards,” like a 1st Edition Shining Charizard Pokémon card, which could then be used to compete in online tournaments. Each card has a score that is calculated by its “performance” rating and multiplied by its rarity, with these scores used to determine who would win a tournament.
The game officially launched last week, after a 24-hour card presale for early access users."
"The Cardex team completed their initial audits to be approved to be listed on the portal, during this process the Cardex team inadvertently exposed the private key to their session signer on the front end of their website which was outside of the scope of the audit and a practice we warn about. This allowed an attacker to initiate transactions to the Cardex contracts for any wallet that had approved a session key with them."
"The problem today was that the session signer wallet was compromised through a leaked key in Cardex’s frontend code. Because the session signer is shared amongst all sessions, all users who had created sessions on Cardex were at risk. The actual exploit worked like this: The attacker finds an open session belonging to a victim Attacker creates a buyShares transaction to purchase shares on behalf of the victim Attacker then calls transferShares through the compromised session to transfer shares to the attacker The attacker then sells these shares on the Cardex bonding curve to effectively steal ETH from the victim It is important to note that users’ ERC20s and NFTs were not at risk here due to the permissioning of the session keys."
It was reported by Cardex that they returned 94.85 ETH to affected users, which appears to have been focused around higher value wallets.
It appears that Cardex is continuing to pursue the remaining funds here.
HOW COULD THIS HAVE BEEN PREVENTED?
"The primary issues in this attack were the shared session signer wallet and exposed session signer key on the frontend. This exploit would not have happened had the session signer wallet been scoped to each user or if the private key of the session signer was not exposed. When we work with teams on session key integration, we recommend they create separate session signers per user and to not store these keys in plain text (should be encrypted in local storage) on the frontend."
Abstract Chain - "Early this morning, the Abstract security team detected an exploit originating from Cardex, an app within The Portal. This was not a vulnerability in the Abstract Global Wallet (AGW) or the Abstract network itself but an isolated security failure by a third-party app (Cardex)." - Twitter/X (Apr 24)
Cardex Space - "Cardex Army Onboarding... FYI, anyone who spam the mechanism to create an AGW with 0.001 ETH then immediatelly transfer out will be nuked and get smoked." - Twitter/X (Apr 24)
Cardex Homepage (Apr 24)
Brad (Windsor) - "Thank you for the update but it's been a bad day. ETH drained, cant afford to fund again and now I get 253 XP after using for hours a day all week. I was so hyped just a day ago and now I feel gutted. Where do I go from here?" - Twitter/X (Apr 24)
Zigoshi - "ABSTRACT TEAM SENDS THEIR USERS [AWAY], THEY DON'T CARE THAT THEY PUT SCAM ON THEIR SITE AND THEY BAN ALL DISSATISFIED PEOPLE WHO WANT TO GET THEIR MONEY BACK. even if you just put a smiley face on a post you get banned." - Twitter/X (Apr 24)
Cardex - "We want to start off by thanking the Abstract team for their continuous support in helping us recover funds. The support we've been given has been unmatched and they are going above and beyond. Here are some updates on where we are: 1. We have distributed a total of 94.85 ETH directly to affected wallets today 2. Alongside Abstract, we are currently working with law enforcement to identify any additional funds that may be able to be recovered. We appreciate the community's patience while we worked through recovering funds." - Twitter/X (Apr 24)
Cardex - "On Feb 18th, Cardex suffered from an attack associated with the compromised session key. We'd like to thank our users and abstract teams for their help. We're working with abstract team to track the flow of funds and recovery. Thanks for your patience." - Twitter/X (Apr 24)
Cardex - "Cardex is now live @AbstractChain! No code needed. Trade, Compete, Win. Built on top of real TCG cards. First 24 hrs is presale for early access users, then public. Tournament will start later." - Twitter/X (Apr 24)
Malicious Contract Reported By @jarrodWattsDev - Abscan (Apr 25)
Cardex Smart Contract Creation - Abscan (Apr 25)
First Purchase of Cardex Shares - Abscan (Apr 25)
Theft Of Pudgy Penguin NFT - Abscan (Apr 25)
First Ethereum Profit Transaction - Abscan (Apr 25)
https://x.com/AbstractChain/status/1891928658341753039 (Apr 24)
https://x.com/cardex_space/status/1888609372655243590 (Apr 24)
https://x.com/Brad1867/status/1891957729213743408 (Apr 24)
https://x.com/zigoshka/status/1892171750210691073 (Apr 24)
https://x.com/cardex_space/status/1897435911224496300 (Apr 24)
https://x.com/cardex_space/status/1892050287705079882 (Apr 24)
https://x.com/cardex_space/status/1889462911912837501 (Apr 24)
https://dune.com/artemisrsch/abstract-drain (Apr 25)
'Cardex' Game Exploit Drains Wallets on Ethereum Layer-2 Abstract - Decrypt (Apr 25)
