Cardex Users Hit with $400K Loss Over Developer Glitch

The Abstract team’s official investigation pinpointed the culprit: an accidental leak of a private session key. This key is designed to allow AGW wallets to work with certain applications via separate sessions, thereby offloading some management tasks to a third party. Although this setup is intended to create a seamless experience for users, an improper configuration can open the door to serious security breaches.

That’s precisely what unfolded here. In clear violation of Abstract’s standards, the developers behind Cardex used one session key for all users and neglected to encrypt it properly within the website’s code. This critical mistake enabled hackers, who managed to uncover the key, to perform transactions on behalf of every user connected to the platform.

The incident impacted over 9,000 wallets, although Ethereum mainnet tokens (ERC20), NFTs, and other AGW users were not affected. This points directly to a flaw on Cardex’s side, where developers failed to secure the private key properly, breaching several essential data processing protocols.

We appreciate the trust and support of our builders and users. Our primary focus now is working with Seal 911 to help Cardex remediate the situation and make users whole,

the developers at Abstract remarked.

In the wake of the breach, the Abstract team urged all users to immediately log off and steer clear of the application until further instructions are issued. They declared that every app—whether new or already in operation—that employs session keys and is presented on The Portal must undergo a comprehensive new audit. Moreover, they are committed to further educating third-party developers and reinforcing security measures to avert future incidents.

Read on: 2024 Crypto Breaches — A Quarterly Analysis