- Over $470,000 worth of Ethereum was drained from user wallets due to mishandled private keys in the Cardex trading card game.
- The exploit occurred through session keys that gave the application extended control over user wallets for up to one month.
- The attack affected only users who had directly interacted with the Cardex application on the Abstract network.
- Core contributors confirmed the security breach was due to operational security failures rather than smart contract vulnerabilities.
- The incident raises concerns about the safety of session-based authorization systems in blockchain gaming.
A security breach in the blockchain-based trading card game Cardex resulted in approximately $484,000 worth of Ethereum being stolen from user wallets, according to blockchain analytics. The incident occurred on the Abstract layer-2 network, where compromised private keys enabled an attacker to drain funds from players who had authorized the application.
The exploit emerged shortly after Cardex’s official launch, which featured tokenized versions of valuable trading cards, including rare Pokémon collectibles. Users were required to grant session permissions to participate in the game’s tournament system, where cards were ranked based on performance metrics and rarity scores.
Abstract network contributors Cygaar and 0xBeans identified the root cause as a compromised private key, which allowed the attacker to exploit the session authorization system. These sessions, typically designed to improve user experience by reducing repeated transaction approvals, became a vulnerability when the key fell into malicious hands.
“Session basically refers to a temporary authorization that allows a smart contract (or dapp) to execute transactions on behalf of the user without requiring new approvals every time,” explained Preetam Rao, CEO of Quill Audits.
The incident has sparked debate within the cryptocurrency community about the security trade-offs of user-friendly features. While core contributors maintained that all featured applications underwent thorough auditing, the breach highlighted potential risks in operational security practices rather than smart contract vulnerabilities.
The attack’s impact was contained to Cardex users, though some community members disputed the extent of the isolation. The exploit continued for approximately seven hours before developers implemented security updates to prevent further losses.
This security incident adds to a growing list of concerns about blockchain gaming security, particularly regarding the balance between user convenience and robust protection of assets. Industry experts suggest that while session-based systems aren’t inherently flawed, their implementation requires stringent security measures and careful key management protocols.
✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.
Previous Articles:
- Solana Price Plunges 40% Amid Network Activity Drop and Token Unlock Concerns
- Norwegian Authorities Charge Four in $62 Million Crypto Money Laundering Case
- Invesco Partners with DigiFT to Launch Tokenized Private Credit Fund in Singapore
- Trump Meme Coin Announces President’s Day Airdrop for Official Merchandise Buyers
- Crypto CEO Claims He Bought Influence with Argentine President’s Inner Circle
