Several Abstract Chain users have reported having their funds drained, while devs have claimed that the issue stems from a specific application on the network.
On February 18, a number of Abstract Global Wallets users reported unexpected fund withdrawals, raising concerns over a potential security breach.
The exploited wallets saw their entire balances wiped, leaving users scrambling for answers.
URGENT
Reports of ETH draining from @AbstractChain.
Move your NFTs and assets asap!
People saying its Cardex.
63
Reply
Copy link
What happened?
Initially thought to be an external exploit of the network’s smart contracts, concerns quickly turned toward one specific app.
A few hours after initial reports emerged, Abstract Chain developer 0xBeans reassured users that the issue was not a network-wide Abstract Global Wallet vulnerability but instead linked to Cardex, a tokenized trading card game built on the Abstract ecosystem.
“We are aware of some Abstract users being compromised,” they posted on X, urging users to avoid interacting with Cardex while the team investigated.
In a subsequent post, 0xBeans clarified that the root cause was Cardex mishandling its private key, which may have left users exposed.
“If you’ve ever interacted with this app, revoke your sessions,” they warned, urging users to use the web3 security tool Revoke Cash, a tool that allows users to manage and revoke token approvals on their crypto wallets.
While the total extent of losses is yet to be determined, 0xBeans has vowed to release a “larger post-mortem” of the incident in an upcoming update.
However, one community member citing Dune Analytics data, estimated losses of over 180 ETH, which amounts to a little over $482,000 based on current prices.
On-chain security firm Quill Audits analyzed the attack, explaining that the exploiter deployed a malicious contract that allowed them to siphon funds from compromised wallets before starting to launder the funds.
The stolen assets first passed through a bootloader address before being funneled into the attacker’s contract.
From there, the funds were dispersed across multiple wallets, a common tactic used to obscure the trail and make tracing funds more complex.
Among the identified wallets, at the time of Quill Audits’ report, at least three of the attacker’s wallets held around $30,000 in stolen ETH.
In the meantime, users of the supposedly malicious dApp have flooded X with frustration and accusations, calling Cardex a scam and demanding answers.
Replying to @cardex_space
yah this entire X account looks like a scam lol no wonder its draining wallets
5
Reply
Copy link
As of press time, the Cardex team has yet to issue a statement regarding the allegations. The development comes just days after the dApp went live on February 12.
What is Abstract chain?
Launched last month, Abstract Chain is an Ethereum Layer-2 network developed by Igloo Inc., the company responsible for the popular NFT collection dubbed Pudgy Penguins.
It leverages zkSync’s ZK Stack to offer various scalable and cost-effective on-chain solutions.
The wallet drain issue also comes just a day after Abstract hit a major milestone by deploying over 1 million AGW wallets.
AGW allows users to create smart contract wallets using familiar logins like email or social accounts, making it easier for non-crypto native users to set up an on-chain wallet.
The post Ethereum L2 Abstract Chain probes wallet drain issue after users flag missing funds appeared first on Invezz
