As a result of the negotiations, the hackers have already returned the bulk of the assets extracted from XCarnival’s reserves
content
- XCarnival NFT lending platform attacked by unusual vector
- hackers started returning money
According to the post-mortem of the protocol, security agencies have “provisionally determined” the location of the hackers, and talks are on.
XCarnival NFT lending platform attacked by unusual vector
NFT lending platform XCarnival was attacked, according to a statement shared by PeckShield, a leading cybersecurity provider for blockchain products.
1/ @XCarnival_Lab txs (a hack tx: https://t.co/LUcxSU9UQn) was exploited in a flurry of
– PeckShield Inc. (@peckshield) 26 June 2022
Thereby the hacker made a profit of 3,087 ETH (~$3.8M) (the loss of the protocol could be higher). pic.twitter.com/mmGw5PQfbt
The attackers managed to obtain an infinite number of loans using the same high-profile NFTs (Boring Apes Yacht Club #5110). The protocol was targeted by a “flurry” of transactions initiated by hackers.
Malefactors managed to generate multiple contract addresses, pledge BAYC NFTs as collateral, obtain loans, withdraw NFTs instantly, and repeat the process several times.
As such, the hackers borrowed over $3.8 million in Ethereum (ETH) and there was no need to pay back the loan. This was made possible due to a vulnerability in the borrowed module codebase.
hackers started returning money
The team immediately reported the issue to cyber security and law enforcement agencies. Initially, the hacker was offered a $300,000 reward for recovering the funds, but the amount was then increased to $1.8 million.
The main contract as well as deposit and borrowing functions were shut down to prevent XCarnival users from losing their funds.
As soon as the attacker was tracked down, the conversation started. As of press time, it has returned 1,467 Ether (ETH) stolen. It should also be noted that the initial funds for the attack were transferred from the Tornado Cash Mixer.
As previously covered by U.Today, hackers attacked the Inverse Finance decentralized lending/lending protocol earlier this month; The deficit assumed par $1.25 million.