Cardex Game Suffers $400K Exploit, Affecting 9,000 Wallets

Cardex Game has suffered a security breach, leading to substantial financial losses and affecting thousands of user wallets. The attack, which targeted the game’s interface, has raised concerns about the platform’s security and broader risks for blockchain-based projects.

Cardex is a blockchain-powered trading card game built on Abstract, an Ethereum layer-2 network. Players collect digital tokenized cards and compete using them within the ecosystem.

A $400K Security Breach

On Tuesday, Abstract shared an initial post-mortem on X (formerly Twitter) detailing the security breach. The incident resulted in the loss of approximately $400,000 in Ether (ETH) from about 9,000 wallets connected to Cardex.

Early this morning, the Abstract security team detected an exploit originating from Cardex, an app within The Portal. This was not a vulnerability in the Abstract Global Wallet (AGW) or the Abstract network itself but an isolated security failure by a third-party app (Cardex).…

— Abstract (@AbstractChain) February 18, 2025

The exploit was identified as a “session key” attack, where an unauthorized entity accessed wallets linked to Cardex and withdrew funds.

According to Abstract contributor Cygaar, the breach stemmed from a compromised session signer wallet used collectively by all Cardex players. The attacker exploited a leaked key embedded in Cardex’s frontend code, exposing weaknesses in session key management.

By gaining control of the session key, the hacker was able to execute transactions on behalf of users, transferring and selling assets to acquire ETH. However, ERC20 tokens and NFTs in affected wallets remained secure and were not impacted by the exploit.

Mismanagement of Wallet Credentials

Notably, the post-mortem also emphasized that the issue was not related to Abstract’s core infrastructure or the Abstract Global Wallet (AGW). Instead, it resulted from Cardex’s mismanagement of critical wallet credentials, particularly session keys.

AGW uses these session keys to improve the user experience by letting apps start temporary wallet sessions. These keys give specific permissions to third-party apps; therefore, secure management is important to prevent misuse.

Abstract had advised users to stop interacting with Cardex and revoke any active sessions to minimize further exposure. Moving forward, all projects using session keys on Abstract’s platform must undergo security audits.

“We will continue to consult with builders and security experts regularly to refine our processes and set the industry standard for security and user protection,” Abstract stated in its post.