NFT Platform XCarnival Under Attack: Malefactors Use BAYC Token
As per the protocol's post-mortem, the security agencies have already "tentatively determined" the hackers' location, and negotiations are underway.
XCarnival NFT lending platform attacked via unusual vector
According to the statement shared by PeckShield, a leading cybersecurity provider for blockchain products, NFT lending platform XCarnival was attacked.
1/ @XCarnival_Lab was exploited in a flurry of txs (one hack tx: https://t.co/LUcxSU9UQn),
— PeckShield Inc. (@peckshield) June 26, 2022
leading to the gain of 3,087 ETH (~$3.8M) for the hacker (The protocol loss may be larger). pic.twitter.com/mmGw5PQfbt
Attackers managed to get an infinite number of loans using the same high-profile NFT (Bored Apes Yacht Club #5110). The protocol was targeted by a "flurry" of transactions initiated by hackers.
Malefactors managed to generate multiple contract addresses, pledge BAYC NFT as collateral, get a loan, immediately withdraw an NFT and repeat this procedure multiple times.
As such, hackers borrowed over $3.8 million in Ethereum (ETH) equivalent with no need to pay the loan back. This became possible due to the vulnerability in the borrowing module codebase.
Hackers started returning funds
The team promptly reported the issue to cybersecurity and law enforcement agencies. Initially, the hacker was offered a $300,000 bounty to recover the funds, but then the sum was increased to $1.8 million.
The main contract as well as deposit and borrowing functions were shut down to prevent XCarnival users from losing their funds.
As the attacker was tracked, the negotiations started. By press time, he/she has returned 1,467 Ethers (ETH) stolen. It should also be noted that initial funds for the attack were transferred out of the Tornado Cash mixer.
Vladislav SopovAs covered by U.Today previously, the hackers attacked the Inverse Finance decentralized lending/borrowing protocol earlier this month; losses eclipsed $1.25 million in equivalent.
Disclaimer: The opinions expressed by our writers are their own and do not represent the views of U.Today. The financial and market information provided on U.Today is intended for informational purposes only. U.Today is not liable for any financial losses incurred while trading cryptocurrencies. Conduct your own research by contacting financial experts before making any investment decisions. We believe that all content is accurate as of the date of publication, but certain offers mentioned may no longer be available.
Related articles
Arman Shirinyan
Tomiwabold Olajide
Dan Burgin