Abstract has issued a post-mortem after a security breach involving Cardex, a third-party app within The Portal. This incident impacted around 9,000 wallets and resulted in the theft of approximately $400,000 in Ethereum. Early on Tuesday, Abstract’s security team identified an exploit originating from Cardex. This breach was not due to a vulnerability in the Abstract Global Wallet (AGW) or the Abstract network but was an isolated security failure of the third-party app.
The breach was traced back to a private key exposure on Cardex’s front end, allowing attackers to access users’ wallets with approved session keys. Despite the breach’s severity, the security teams of Abstract, Seal 911, and Cardex quickly acted to contain the exploit and secure user funds.
The breach was primarily due to a flaw in Cardex’s session key management. During their initial audit for listing on The Portal, Cardex inadvertently exposed their session signer’s private key on their website’s frontend. This key was publicly accessible, creating a single point of failure as it was shared across all users. Consequently, anyone with the key could impersonate users with active sessions, conducting transactions like buying, transferring, and selling shares without further user confirmation.
0xCygaar, an Abstract engineer, highlighted that the root cause was the shared session signer and the exposed private key on Cardex’s front end. The design flaw of the shared session signer led to the compromise of all active sessions once the private key was exposed. However, the attack did not affect users’ ERC20 tokens or NFTs because the session keys were limited to Cardex’s smart contracts.
Abstract responded swiftly by working with Seal 911, security researchers, and the Cardex team to contain the breach. Within hours, they identified the exposed session signer key, suspended Cardex on The Portal, and deployed a revocation tool to help users revoke open session keys. The compromised contract was upgraded to revert all transactions, preventing further exploitation.
Moving forward, Abstract is implementing stricter security measures, including comprehensive audits for all projects listed on The Portal, individualized session signers per user, and encrypted key storage. Additionally, Abstract plans to integrate Blockaid’s transaction simulation tooling into the Abstract Global Wallet to help users better understand permissions when creating session keys. A session key dashboard will also be introduced to give users more control and visibility over their active sessions.
**Twitter Update:**
Early this morning, the Abstract security team detected an exploit originating from Cardex, an app within The Portal. This was not a vulnerability in the Abstract Global Wallet (AGW) or the Abstract network itself but an isolated security failure by a third-party app (Cardex).
