- NFT lending pool XCarnival suffered a hack on June 26, and $3.8 million was reportedly stolen.
- The hacker accepted the team’s offer to return part of the funds for a 1,500 ETH bounty.
- Harmony was recently attacked for $100 million.
NFTs lending platform XCarnival was hacked for over $3 million on June 26, consequently resulting in the suspension of the smart contract. However, the hacker has accepted a bounty offer to return part of the stolen funds.
2) The hack is made possible by allowing a withdrawn pledged NFT to be still used as the collateral, which is then exploited by the hacker to drain assets from the pool. pic.twitter.com/2zA6vr59Hj
— PeckShield Inc. (@peckshield) June 26, 2022
XCarnival recovers half of stolen funds
Blockchain security firm PeckShield explained that the hacker manipulated the protocol by using a withdrawn pledged NFT as collateral to borrow more funds. After several repeated transactions, the hacker gained 3,087 ETH, an equivalent of $3.8 million at the time of the incident. PeckShield said the protocol loss might be larger.
XCarnival confirmed that attack in a tweet, noting that deposits and borrowing have been temporarily suspended. The team negotiated with the hacker to return half of the stolen funds while keeping the rest as a bounty. They also offered to exempt the person from legal action, which the hacker agreed to.
XCarnival was attacked on June 26, 2022 and suspended part of the protocol. XCarnival officials will give 0xb7CBB4d43F1e08327A90B32A8417688C9D0B800a owner 1500 ETH bounty.
At the same time, XCarnival officals explicitly exempt the person from legal action.
By XCarnival team
— XCarnival (@XCarnival_Lab) June 27, 2022
The hacker held on to 1,500 ETH as a bounty and returned 1,467 ETH to XCarnival officials.
Hackers have no chill
The crypto industry is still hit with an increasing record of protocol exploits and scams despite the crypto winter.
Less than a week ago, hackers exploited a vulnerability on Harmony’s Horizon bridge to steal about $100 million in Ethereum, Binance Coin, Tether, USD Coin, and Dai, which were all later swapped for ETH on decentralized exchanges, a “commonly seen technique with these hacks,” according to Elliptic.
Earlier in June, Osmosis liquidity pool was drained of $5 million. Shortly after the platform began investigating the source of the attack, about $2 million of the stolen funds were recovered from two members of FireStack, one of the biggest validators on Osmosis.