Abstract responds to security incident: isolated vulnerability in third-party application Cardex causes loss of approximately $400,000

Odaily News Abstract responded to the security incident on X: "This morning, the Abstract security team detected a vulnerability originating from the Cardex application within The Portal. This is not a vulnerability in the Abstract Global Wallet (AGW) or the Abstract network itself, but an isolated security failure of a third-party application (Cardex).
We are grateful to our engineering team, security researchers, Seal 911, and Cardex teams for their quick action to close the vulnerability and prevent further unauthorized access to user funds. The vulnerability involved the loss of approximately $400,000 in tokens.
Cause of the vulnerability
The Cardex team completed an initial audit and was approved to be listed on the portal, and in the process, the Cardex team inadvertently exposed the private keys to the session signers on their website frontend, which was outside the scope of the audit and a practice we warned against. This allowed the attacker to initiate transactions to the Cardex contract from any wallet that had approved the session key.
Abstract Security Standards Abstract follows a rigorous security process before adding any application to our portal. This includes: one-on-one onboarding training with each team, collaboration on security best practices, and mandatory extensive security audits. We will continue to consult with builders and security experts regularly to improve our processes and set industry standards for security and user protection.
User Action Required To prevent potential attack vectors, we strongly recommend that users regularly revoke approvals and permissions for applications and tokens in their Abstract wallet via Revoke.”