- A blockchain game Cardex lost $470K ETH after exposing private keys to the attackers.
- A session key exploit allowed the hackers to drain player wallets over 7 hours.
- Although the app contracts were audited, the operational security measures failed to prevent mishaps.
In a plot twist, Cardex, a blockchain trading card game, accidentally handed over its private keys faster than a rookie trader FOMOing into a meme coin. The result? $470,000 worth of Ethereum vanished quicker than free pizza at a blockchain conference.
Cardex launched with a big promise: tokenized versions of valuable trading cards, including the coveted 1st Edition Shining Charizard Pokémon card. Players could use these digital assets in online tournaments, with card values determined by performance ratings and rarity. However, the excitement of digital card collecting quickly turned to concern when users’ wallets began losing funds.
The incident stemmed from what appeared to be a routine permission request. Users were prompted to sign a transaction granting the app control over their wallets for what turned out to be a month-long period. This “session key” authorization, while designed for convenience, became the avenue for unauthorized access when the private key was compromised.
Over a seven-hour period, an attacker systematically withdrew 180 ETH (approximately $484,000) from user wallets. Abstract network contributors Cygaar and 0xBeans confirmed the breach, noting that while the app contracts were audited, the operational security measures failed to prevent the key mishandling.
Preetam Rao, CEO of security firm Quill Audits, explained that session keys typically function like temporary access passes – useful for streamlining repeated transactions but potentially risky if not properly managed. The incident highlights how user-friendly features can sometimes compromise security when not properly implemented.
Related: Dave Portnoy Dumps $GREED, Launches $GREED2 Amid Backlash
While Cardex has updated its system to prevent further unauthorized access, the incident serves as a valuable lesson in digital asset security. It shows how enthusiasm for new blockchain applications should be balanced with careful consideration of security implications.
The blockchain gaming space is changing. But this event reminds us that in the rush to participate in exciting new projects, taking time to understand security implications remains important. As one developer noted, sometimes the most expensive lesson is the one that teaches us to read the fine print.
