Abstract TCG Cardex Suffers Exploit, Latest Blow For L2 Chain

In the latest blow to the recently-launched Ethereum Layer-2 blockchain, Abstract-based trading card game Cardex has suffered a major exploit, leading to “approximately $400,000” in lost user funds.

This “isolated security failure” – which was on the part of Cardex itself, and not a vulnerability in the wider Abstract Global Wallet or Abstract Chain – has resulted in much outrage amongst the community, with many users claiming to have lost thousands of dollars in the saga which lasted over 3 hours and 30 minutes.

Abstract have confirmed that the exploit was caused when one of the Cardex team “inadvertently exposed the private key to their session signer on the front-end of their website”. Abstract are now “working with Seal 911 to help Cardex remediate the situation and make users whole”.

Abstract Cardex - Exploit — Source: @AbstractChain on X

What was the cause of the exploit?

In short, Cardex unintentionally exposed the private key to their session signer on the front-end of their website. The attacker then used this private key to initiate transactions from Cardex’s contracts to any wallet that had approved a session key with Cardex. Approximately $400,000 USD in ETH was lost before the exploit was fixed.

Abstract contributor @0xCygaar went into further detail on X. He explained that although multiple audits had been completed on all the technology involved – both for Abstract and Cardex – the exploit was unfortunately due to “negligence by Cardex in their app’s frontend code”.

As a result of this exploit, @0xCygaar confirmed that on top of the existing audits required of Abstract apps prior to listing on The Portal, third-party teams will now have to “improve measures to secure their entire stack and security operations practices”. This includes “another round of review” for any apps that use session keys, with updated documentation on best practice for their use.

As for Abstract themselves, they will soon be “integrating Blockaid’s transaction simulation tooling” into the Abstract Global Wallet. On top of this, they are “[exploring] other ways to make session key creation safer”, including “adding more validation logic to blacklist malicious actors”, and adding a “session key dashboard” to The Portal, where users will be able to quickly and easily revoke their session keys.

Abstract Cardex - Security — Source: @0xCygaar on X

Is Abstract safe?

The Abstract Chain has had a rocky start since its debut on January 27, 2025 – and this exploit of what appeared to be a trusted app available through the Abstract Portal has led many to question the security of the ecosystem.

In a post on X, the Abstract team have reiterated that they follow a “rigorous security process” before adding any prospective apps to the Abstract Portal. This includes “one-on-one onboarding”, “collaboration on best security practices”, and “mandatory extensive security audits”.

As a preventative measure, Abstract have recommended that users regularly use Revoke to remove unused app approvals and permissions – a best practice for Web3 users regardless of the network.

Many in the community remain skeptical. @PopPunkOnChain requested to “never let this team be featured on the portal again”, @ripchillpill noted that “if [this happens again], then no matter what the explanation is, people will not care”, and @CryptosSniffer added that “more explanation will be needed to regain users’ trust”.

It remains to be seen whether victims of the Cardex exploit will be made whole, or what impact this could have on Abstract‘s stated goal to become “the dominant consumer crypto chain”.