In a quick-paced development, XCarnival, describing itself as a Metaverse Asset Bank, lost over 3,087 ETH to a hacker and negotiated the return of half of the funds less than 24 hours after the incident.
Exploiting a flaw in its smart contract, the attacker used a Bored Ape Yacht Club NFT, which was already withdrawn after being pledged, as collateral to borrow from the platform. The same transaction was repeated several times until a watchdog alerted XCarnival, which promptly paused the operations – smart contracts, lending, and borrowing.
Alert from Watchdog
The platform for which the loss can be much higher was alerted by blockchain security and data analytics company PeckShield. The initial amount used for the attack was 120 ETH that the hackers withdrew from Tornado Cash, PeckShield said.
Subsequently, the watchdog provided more details in a series of tweets as to how the hack was pulled off.
“The hack is made possible by allowing a withdrawn pledged NFT to be still used as the collateral, which is then exploited by the hacker to drain assets from the pool,” it said in one of its tweets.
Nearly 12 hours after the attack, XCarnival asked the hacker to return the stolen funds, offered a 1,500 ETH bounty, and promised exemption from legal action. As per blockchain data, the exploiter accepted the offer after a bounty negotiation that began with 250 ETH and settled at 1,500 ETH.
Theft and Scam Prevention
In a similar incident,…
