Cardex, a cryptocurrency trading card game on Ethereum layer-2 system Philosophical, mishandled its secret keys, according to Abstract network core participants, leading to over$ 470, 000 worth of Ethereum being drained from cards that engaged with it.
Cardex offered crypto online versions of “high-end buying cards”, like a 1st Edition Shining Charizard Pokémon cards, which could then be used to engage in online competitions. Each card has a rating that is calculated by its “performance” standing and amplified by its uniqueness, with these values used to identify who did win a game.
Following a 24-hour card tickets for earlier access users, the game officially launched last month. wallets that had used the Philosophical software started to run out of money early on Tuesday. The Cardex private key was mishandled, falling into the hands of a malicious actor, according to pseudonymous Abstract core contributors Cygaar and 0xBeans, and confirmed it on X ( previously Twitter ).
With this key, the intruder was able to discharge cards that had an effective” program” with the sport. It appears that when playing Cardex, users were prompted to mark a deal, referred to as a program, that would provide the game complete control over the pocket’s funds for a period of time—allegedly a month in this case, according to one developer who spoke with .
According to Preetam Rao, CEO of security firm Quill Audits,” Session basically refers to a temporary authorization that allows a smart contract ( or dapp ) to execute transactions on behalf of the user without requiring new approvals every time.”
Over the course of seven hours, the attacker successfully drained over 180 ETH, worth approximately$ 484, 000, according to a Dune dashboard tracking the attacker’s wallet.
Fortunately, Cardex only had access to the exploit, leaving only those who had interacted with the network safe, despite some users ‘ disputes. Equally, according to Cygaar, the Cardex was updated which brought an end to the attack. Once all details are ironed out, Cygaar confirmed a full report on the situation will be made available.
” This is a huge blow to the abstract ecosystem”, Rao told . ” Cardex still hasn’t confirmed the attack from their social media accounts, which is a bad move. At this time, they ought to be transparent.
Concerning how apps are promoted within the Abstract ecosystem, the attack has raised uneasy questions. Some users of Abstract are offended by the encouragement they received to look into apps that might have put their money in danger.
” Every app contract on the portal has been audited ( everything that is highlighted has a tier-1 firm auditing it ),” Cygaar claimed. ” The problem in this case was not contract specific, but even then we could’ve done a better job forcing them to have their]operational security ] verified”.
Still, some users have pushed back on this explanation, claiming that the exploit shows that session keys on the whole aren’t a safe solution for users. Because of streamlined features like this, Abstract was built on user-friendliness and attracted a large consumer base.
Rao said that broadly blaming session keys isn’t the answer, however, even if this particular implementation burned users.
” Generally, session keys are good to have”, Rao explained. ” It just depends on how they are managed. Think of them like guest passes—you wouldn’t want to give approval to a contract again and again for a swap transaction, right? It just makes it more convenient”.
GG Newsletter
Get the latest web3 gaming news, hear directly from gaming studios and influencers covering the space, and receive power-ups from our partners.
