Cardex Wallets Drained Compromised Private Session Key

From Quadriga Initiative Cryptocurrency Hacks, Scams, and Frauds Repository
Jump to navigation Jump to search

Notice: This page is a freshly imported case study from the original repository. While the original content had a similar format, some sections may not have been fully completed. Please help fill in any empty sections or any missing information you can find. Please help restructure the content by moving information from the 'General Prevention' sections to other prevention sections, and add any missing information or sources you can find. If you are new here, please read General Tutorial on Wikis or Anatomy of a Case Study for help getting started.

Notice: This page contains sources which are not attributed to any text. The unattributed sources follow the initial description. Please assist by visiting each source, reviewing the content, and placing that reference next to any text it can be used to support. Feel free to add any information that you come across which isn't present already. Sources which don't contain any relevant information can be removed. Broken links can be replaced with versions from the Internet Archive. See General Tutorial on Wikis, Anatomy of a Case Study, and/or Citing Your Sources Guide for additional information. Thanks for your help!

Cardex Logo/Homepage

[1][2][3][4][5][6][7][8][9][10][11][12][13][14][15][16][17][18][19][20][21][22]

About CardEx

"Cardex offered tokenized digital versions of “high-end trading cards,” like a 1st Edition Shining Charizard Pokémon card, which could then be used to compete in online tournaments. Each card has a score that is calculated by its “performance” rating and multiplied by its rarity, with these scores used to determine who would win a tournament.

The game officially launched last week, after a 24-hour card presale for early access users."

The Reality

This sections is included if a case involved deception or information that was unknown at the time. Examples include:

  • When the service was actually started (if different than the "official story").
  • Who actually ran a service and their own personal history.
  • How the service was structured behind the scenes. (For example, there was no "trading bot".)
  • Details of what audits reported and how vulnerabilities were missed during auditing.

What Happened

$400k worth of Ethereum were reportedly stolen from Cardex users on Abstract chain.

Key Event Timeline - Cardex Wallets Drained Compromised Private Session Key
Date Event Description
February 7th, 2025 10:22:03 PM MST Cardex Contract Created The Cardex smart contract is first launched on the blockchain.
February 7th, 2025 11:55:23 PM MST First Cardex Share Purchase The very first Cardex shares are purchased in a blockchain transaction.
February 11th, 2025 4:53:00 PM MST Cardex Launch Tweet Cardex reports that they are now live on Abstract Chain.
February 17th, 2025 2:27:33 AM MST Ethereum Profit Theft Transaction An early transaction taking profit in Ethereum from exploiting the Cardex smart contract.
February 18th, 2025 4:07:00 AM MST Suspicious Address Reporting @jarrodWattsDev posts this abscan link with a suspicious address taking in user’s funds.
February 18th, 2025 4:07:00 AM MST First Users Report Drainer The first user tweets and reports a drainer
February 18th, 2025 4:14:00 AM MST StinkyPablo Ping SEAL 911 @stinkypablo pings SEAL 911.
February 18th, 2025 4:15:00 AM MST Reply From SEAL 911 SEAL 911 replies.
February 18th, 2025 4:24:00 AM MST Cardex Suspect As Source Cardex suspected as root cause of drains.
February 18th, 2025 4:50:00 AM MST 0xBeans Notifies Twitter @0x_Beans notifies users on Twitter of the issue.
February 18th, 2025 5:30:00 AM MST NSerec Revoke Source Code @NSerec shares source code for revoke site (revoke-session.vercel.app) so it can be deployed on an abstract domain.
February 18th, 2025 5:32:00 AM MST Chainlight Confirms Exposed Key Chainlight confirms that session signer key is exposed on the Cardex frontend.
February 18th, 2025 5:39:00 AM MST Blockaid Flags Draining Blockaid flags the draining activity through their automated dashboard.
February 18th, 2025 6:28:00 AM MST Privy Blocks Website Access Privy blocked all users from accessing Cardex to prevent new sessions from being created.
February 18th, 2025 6:56:00 AM MST Revoke Website Deployed https://revoke.abs.xyz deployed to help users revoke their open sessions.
February 18th, 2025 7:35:00 AM MST Contract Upgrade Completed Contract was upgraded to revert on every transaction, thus preventing any further exploits.
February 18th, 2025 12:11:00 PM MST AbstractChain Announcement AbstractChain posts an announcement addressing an early-morning exploit involving Cardex, a third-party app in The Portal, clarifying that the Abstract Global Wallet and network were not compromised. The breach, which impacted around $400,000 in token value, was due to Cardex exposing a session signer key in their frontend code—an issue outside the scope of their initial audits. Abstract praised the swift action of its team, Cardex, and Seal 911 in containing the exploit and reaffirmed its commitment to high security standards. Users are urged to revoke unnecessary approvals via a new revocation portal website which was set up.
February 18th, 2025 1:31:00 PM MST Post-Mortem Published Cygaar from AbstractChain posts a detailed post-mortem of the compromise, explaining that although Abstract’s infrastructure and session key contracts were uncompromised, the issue stemmed from Cardex’s frontend exposing a shared session signer key. This exposed key allowed an attacker to drain ~$400k in ETH from ~9,000 wallets by abusing session permissions to buy, transfer, and sell shares on behalf of victims. No ERC20s or NFTs were affected. The breach is attributed to poor session key practices by Cardex, particularly their use of a single session signer for all users. Abstract now mandates stricter audits, improved frontend security, and is rolling out tools like a session key dashboard and Blockaid’s simulation tech to prevent similar incidents.
March 5th, 2025 4:55:00 PM MST Cardex Claims Disbursements Cardex provides an update on the recent hack, expressing gratitude to the Abstract team for their exceptional support in the recovery process. As of today, Cardex has distributed 94.85 ETH directly to affected wallets and is actively collaborating with Abstract and law enforcement to trace and potentially recover additional funds. They thank the community for their patience throughout the ongoing efforts. The vast majority of comments are users who claim to have not received any compensation.

Technical Details

"The Cardex team completed their initial audits to be approved to be listed on the portal, during this process the Cardex team inadvertently exposed the private key to their session signer on the front end of their website which was outside of the scope of the audit and a practice we warn about. This allowed an attacker to initiate transactions to the Cardex contracts for any wallet that had approved a session key with them."

"The problem today was that the session signer wallet was compromised through a leaked key in Cardex’s frontend code. Because the session signer is shared amongst all sessions, all users who had created sessions on Cardex were at risk. The actual exploit worked like this: The attacker finds an open session belonging to a victim Attacker creates a buyShares transaction to purchase shares on behalf of the victim Attacker then calls transferShares through the compromised session to transfer shares to the attacker The attacker then sells these shares on the Cardex bonding curve to effectively steal ETH from the victim It is important to note that users’ ERC20s and NFTs were not at risk here due to the permissioning of the session keys."

Total Amount Lost

Losses have been consistently reported as 400k.

The total amount lost has been estimated at $400,000 USD.

Immediate Reactions

The incident was rapidly detected and addressed on February 18th, 2025, beginning at 4:07 AM MST when @jarrodWattsDev flagged a suspicious address draining user funds. By 6:07 AM EST, the first public reports of a drainer surfaced, prompting swift action from the community. SEAL 911 was contacted and responded promptly, and by 6:24 AM EST, Cardex was identified as the likely source. Over the following hours, security researchers confirmed an exposed session signer key on the Cardex frontend, while tools like Blockaid flagged ongoing draining activity. Mitigation efforts included Privy blocking access to Cardex, the deployment of a revoke tool at revoke.abs.xyz, and a critical contract upgrade at 9:35 AM EST to halt further exploits.

Ultimate Outcome

The Abstract Chain was the first to publicly report on the incident, heavily reporting and shifting a narrative that specifically blamed the poor session key handling of Cardex. Cardex ultimately came to publicly acknowledge the exploit. Cardex worked with others to ultimately return a portion of the funds to affected users.

Total Amount Recovered

It was reported by Cardex that they returned 94.85 ETH to affected users, which appears to have been focused around higher value wallets. Many users reported that they did not receive compensation and it does not appear to have been made public which users were compensated and how that was decided.

There do not appear to have been any funds recovered in this case.

Ongoing Developments

It appears that Cardex is continuing to pursue the remaining funds here. It does not appear that Cardex is relaunching their service.

General Prevention Policies

"The primary issues in this attack were the shared session signer wallet and exposed session signer key on the frontend. This exploit would not have happened had the session signer wallet been scoped to each user or if the private key of the session signer was not exposed. When we work with teams on session key integration, we recommend they create separate session signers per user and to not store these keys in plain text (should be encrypted in local storage) on the frontend."

Individual Prevention Policies

No specific policies for individual prevention have yet been identified in this case.

For the full list of how to protect your funds as an individual, check our Prevention Policies for Individuals guide.

Platform Prevention Policies

Policies for platforms to take to prevent this situation have not yet been selected in this case.

For the full list of how to protect your funds as a financial service, check our Prevention Policies for Platforms guide.

Regulatory Prevention Policies

No specific regulatory policies have yet been identified in this case.

For the full list of regulatory policies that can prevent loss, check our Prevention Policies for Regulators guide.

References

  1. Abstract Chain - "Early this morning, the Abstract security team detected an exploit originating from Cardex, an app within The Portal. This was not a vulnerability in the Abstract Global Wallet (AGW) or the Abstract network itself but an isolated security failure by a third-party app (Cardex)." - Twitter/X (Accessed Apr 24, 2025)
  2. Cardex Space - "Cardex Army Onboarding... FYI, anyone who spam the mechanism to create an AGW with 0.001 ETH then immediatelly transfer out will be nuked and get smoked." - Twitter/X (Accessed Apr 24, 2025)
  3. Cardex Homepage (Accessed Apr 24, 2025)
  4. Brad (Windsor) - "Thank you for the update but it's been a bad day. ETH drained, cant afford to fund again and now I get 253 XP after using for hours a day all week. I was so hyped just a day ago and now I feel gutted. Where do I go from here?" - Twitter/X (Accessed Apr 24, 2025)
  5. Zigoshi - "ABSTRACT TEAM SENDS THEIR USERS [AWAY], THEY DON'T CARE THAT THEY PUT SCAM ON THEIR SITE AND THEY BAN ALL DISSATISFIED PEOPLE WHO WANT TO GET THEIR MONEY BACK. even if you just put a smiley face on a post you get banned." - Twitter/X (Accessed Apr 24, 2025)
  6. Cardex - "We want to start off by thanking the Abstract team for their continuous support in helping us recover funds. The support we've been given has been unmatched and they are going above and beyond. Here are some updates on where we are: 1. We have distributed a total of 94.85 ETH directly to affected wallets today 2. Alongside Abstract, we are currently working with law enforcement to identify any additional funds that may be able to be recovered. We appreciate the community's patience while we worked through recovering funds." - Twitter/X (Accessed Apr 24, 2025)
  7. Cardex - "On Feb 18th, Cardex suffered from an attack associated with the compromised session key. We'd like to thank our users and abstract teams for their help. We're working with abstract team to track the flow of funds and recovery. Thanks for your patience." - Twitter/X (Accessed Apr 24, 2025)
  8. Cardex - "Cardex is now live @AbstractChain! No code needed. Trade, Compete, Win. Built on top of real TCG cards. First 24 hrs is presale for early access users, then public. Tournament will start later." - Twitter/X (Accessed Apr 24, 2025)
  9. Malicious Contract Reported By @jarrodWattsDev - Abscan (Accessed Apr 25, 2025)
  10. Cardex Smart Contract Creation - Abscan (Accessed Apr 25, 2025)
  11. First Purchase of Cardex Shares - Abscan (Accessed Apr 25, 2025)
  12. Theft Of Pudgy Penguin NFT - Abscan (Accessed Apr 25, 2025)
  13. First Ethereum Profit Transaction - Abscan (Accessed Apr 25, 2025)
  14. https://x.com/AbstractChain/status/1891928658341753039 (Accessed Apr 24, 2025)
  15. https://x.com/cardex_space/status/1888609372655243590 (Accessed Apr 24, 2025)
  16. https://x.com/Brad1867/status/1891957729213743408 (Accessed Apr 24, 2025)
  17. https://x.com/zigoshka/status/1892171750210691073 (Accessed Apr 24, 2025)
  18. https://x.com/cardex_space/status/1897435911224496300 (Accessed Apr 24, 2025)
  19. https://x.com/cardex_space/status/1892050287705079882 (Accessed Apr 24, 2025)
  20. https://x.com/cardex_space/status/1889462911912837501 (Accessed Apr 24, 2025)
  21. https://dune.com/artemisrsch/abstract-drain (Accessed Apr 25, 2025)
  22. 'Cardex' Game Exploit Drains Wallets on Ethereum Layer-2 Abstract - Decrypt (Accessed Apr 25, 2025)
Retrieved from "https://quadrigainitiative.com/cryptocurrencyhackscamfraudwiki/index.php?title=Cardex_Wallets_Drained_Compromised_Private_Session_Key&oldid=6689"