The second-level (L2) blockchain Abstract reported a security breach that caused more than 9 thousand wallets to lose approximately $400 thousand in Ethereum. The incident is related to the Cardex blockchain card game.
The breach occurred due to the compromise of the Abstract Global Wallet, a session signer wallet. All Cardex users were using this wallet and became vulnerable due to a key leak in the Cardex frontend code. This allowed the attacker to empty wallets that had an active «session» with the game. While playing Cardex, users had to sign a transaction, the so-called session, which gave the application full control over the wallet funds for a certain period of time. A session essentially means temporarily authorizing a smart contract (or dApp) to execute transactions on behalf of the user without requiring new authorizations each time.
Using the exploit, the hacker was able to detect the victims’ current open sessions, initiate a buyShares transaction on behalf of the victim, and transfer the assets to his account. He then sold them on the Cardex platform, effectively stealing ETH from the victims.
The users’ ERC20 tokens and NFTs were not affected, as the session keys only accessed certain Cardex features.
Cardex launched on the Abstract Chain network on February 12. This is a collectible and gaming app that is currently hosting an active tournament, which may have caused a larger number of wallets to be drained.
Abstract blocked access to Cardex to prevent further unauthorized transactions and launched a revocation tool (https://revoke.abs.xyz) to allow users to withdraw open sessions. The team also updated Cardex contracts to prevent further transactions.
Improper management of private keys led to numerous hacker attacks, which resulted in the theft of almost $80 million in January alone.
Source: Abstract