AbstractChain Investigates Cardex Security Breach
AbstractChain has suffered a security breach linked to the third-party app Cardex on Tuesday, with multiple users reporting unauthorized withdrawals from their wallets.
We are aware of some Abstract users being compromised and want to assure everyone it is not a network wide Abstract Global Wallet (AGW) issue.
This issue seems to be isolated to an app (seems to be Cardex, please do not interact for the time being), we are working to get to the…
— 0xBeans (@0x_Beans) February 18, 2025
Despite initial concerns of a broader vulnerability within the Abstract Global Wallet (AGW), AbstractChain’s engineers have confirmed that the issue is isolated to Cardex.
AbstractChain’s Security Incident: What Went Wrong with Cardex?
The breach stemmed from a flaw in session key management within the Cardex smart contract, exposing users to unauthorized transactions.
Poorly implemented session key handling allowed an attacker to access active sessions and execute transactions without requiring direct user confirmation.
The AbstractChain team, including engineers 0xBeans and 0xCygaar, has actively addressed the situation and assured users that the Abstract Global Wallet itself remains secure.
Full report coming in a bit, but here's the TLDR of the situation:
– The issue is related to @cardex_space. If you've ever interacted with this app, revoke your sessions here: https://t.co/lJfbG3nlZW. This is super important.
– This is not an issue with AGW's contracts. There…
— cygaar (@0xCygaar) February 18, 2025
They have urged anyone who interacted with Cardex to immediately revoke existing approvals to prevent further security breaches.
Blockchain security experts have noted that the exploit resulted from improper session key management rather than a vulnerability in AbstractChain’s infrastructure.
Studying comms from amazing builders:@AbstractChain Security Concern.
TLDR:
Abstract took the issue very seriously, addressed it immediately, and gave a first-hand report of the situation from trusted gigabrain engineers.
1️⃣
Borked session key management leads to extreme…
— bleam.eth (@DrewBleam) February 18, 2025
Attackers leveraged this weakness to drain funds from users who had previously interacted with the compromised app.
Although the full extent of the financial losses is still being assessed, multiple users have reported losing Ethereum from their Abstract-linked wallets.
Two important things about the @cardex_space exploit from this morning 👇
1) This was an isolated event with Cardex, not a larger issue around Abstract or the AGW itself.
2) The team is actively working on additional security measures that will help prevent against similar…
— Phin (@Phin_totten) February 18, 2025
To mitigate risks, security specialists recommend that all Cardex users revoke session keys via the official revocation tool (https://revoke.abs.xyz) and enable two-factor authentication (2FA) for added security.
How the Community Responded to the Cardex Exploit
The AbstractChain team has received widespread support for its transparency and swift response to the breach.
Unlike traditional crisis management approaches led by marketing teams, AbstractChain allowed its engineers to communicate directly with the community.
Immediate public acknowledgment and ongoing technical explanations have reassured some users, though others remain concerned.
The team has pledged to release a full audit report detailing the root cause of the exploit and outlining corrective measures.
i got drained on ABSTRACT!
Everyone who used the CARDEX dapp should send their eth out! pic.twitter.com/TJuQfaP4Ea
— affilion.eth | Zoltán Fekete ♂ | 🐧 (@affilionETH) February 18, 2025
Despite AbstractChain’s quick response, concerns persist about the security of third-party applications built on the network.
Some community members have questioned whether security audits are sufficient to prevent similar incidents.
While AbstractChain engineers continue to investigate the breach, discussions about the exploit remain a focal point within the community.
The team has committed to implementing additional security enhancements to prevent future vulnerabilities in third-party applications.
Although the attack was isolated to Cardex, the full impact remains under investigation.
The community now awaits updates from AbstractChain and Cardex regarding the resolution of the exploit and potential restitution for affected users.
Digital Security Under Scrutiny
The Cardex breach shows that robust blockchains can falter with weak third-party apps.
Users must reassess permissions and update security settings immediately. Developers face pressure to enforce tighter oversight across integrations.
This incident reveals systemic vulnerabilities and calls for a disciplined industry approach to safeguard assets.
Looking ahead, industry leaders are expected to institute routine security audits and share best practices to address these risks.
Source: cryptonews.com
