NEWSLETTER
The ethereum Layer 2 platform, summary, has launched an initial autopsy on a security incident that resulted in the commitment of approximately $ 400,000 in eth in 9,000 wallets that interact with Cardex, a game based on blockchain on its network.
The report clarified that the violation arose from vulnerabilities in the Cardnd Code of Cardex instead of a problem with the central summary infrastructure or session key validation contracts.
Cardex wallet commitment
The incident revolved around the misuse of the keys to the session, a mechanism in the abstract global wallet (AGW) that allows temporary and scope permits to improve the user experience.
While session keys themselves are a very audited security function, Cardex made a critical error by using a shared session signer wallet for all users, a practice that is not recommended. This defect was further expanded by the exhibition of the private key of the signer of the signer of the session to the Code Code de Cardex, which finally led to the exploit.
According to the root cause of the summary <a target="_blank" href="https://x.com/0xCygaar/status/1891948692204368122″ target=”_blank” rel=”noopener” data-wpel-link=”external”>analysisThe attackers identified an open session of a victim, began a transaction of Buyshares in their name, and then used the committed session key to transfer the actions to themselves before selling them in the Cardex linking curve to extract eth.
It is important to note that only the eth used within Cardex was affected. Meanwhile, the ERC-20 tokens of the users and nft remained safe due to the limitations of session key permits.
The event timeline indicates that the first signs of suspicious activity were marked at 6:07 am est on February 18 when a developer published a transaction link that showed an address that drained the funds. In less than 30 minutes, it was suspected that Cardex was the source of the exploit, and the security teams were quickly mobilized to investigate.
In a matter of hours, mitigation measures were taken. This included blocking access to Cardex, implementing a session revocation site, as well as updating the affected contract to avoid more transactions.
Summary has outlined several measures to avoid future incidents of this nature. In the future, all applications listed in their portal must experience a stricter security review, including front-end code audits to avoid the exposure of confidential keys. In addition, the use of the session key in the applications listed will be reassess to guarantee adequate scope and storage practices. The documentation on the implementation of session key will be updated to reinforce the best practices.
That is ahead
In response to this violation, the summary is also integrating the Simulation tools of Blockoid transactions in AGW, which will help users to see what permits they grant when creating session keys. New collaborations are being carried out with PRIVY and BLOCKAID to improve the key security of the session.
A session keys on the portal will also be introduced, which is expected to provide users with a centralized interface to review and revoke their open sessions.
Free Binance $ 600 (Cryptopotato Exclusive): Use this link to record a new account and receive an exclusive welcome offer of $ 600 in Binance (Complete details).
Limited offer for Cryptopotate readers at Bybit: Use this link to register and open a free $ 500 position in any currency!
<!– ai CONTENT END 1 –>
(Tagstotranslate) Hacks
