As per the protocol's post-mortem, the security agencies have already "tentatively determined" the hackers' location, and negotiations are underway.
XCarnival NFT lending platform attacked via unusual vector
According to the statement shared by PeckShield, a leading cybersecurity provider for blockchain products, NFT lending platform XCarnival was attacked.
1/ @XCarnival_Lab was exploited in a flurry of txs (one hack tx: https://t.co/LUcxSU9UQn),— PeckShield Inc. (@peckshield) June 26, 2022
leading to the gain of 3,087 ETH (~$3.8M) for the hacker (The protocol loss may be larger). pic.twitter.com/mmGw5PQfbt
Attackers managed to get an infinite number of loans using the same high-profile NFT (Bored Apes Yacht Club #5110). The protocol was targeted by a "flurry" of transactions initiated by hackers.
Malefactors managed to generate multiple contract addresses, pledge BAYC NFT as collateral, get a loan, immediately withdraw an NFT and repeat this procedure multiple times.
As such, hackers borrowed over $3.8 million in Ethereum (ETH) equivalent with no need to pay the loan back. This became possible due to the vulnerability in the borrowing module codebase.
Hackers started returning funds
The team promptly reported the issue to cybersecurity and law enforcement agencies. Initially, the hacker was offered a $300,000 bounty to recover the funds, but then the sum was increased to $1.8 million.
The main contract as well as deposit and borrowing functions were shut down to prevent XCarnival users from losing their funds.
As the attacker was tracked, the negotiations started. By press time, he/she has returned 1,467 Ethers (ETH) stolen. It should also be noted that initial funds for the attack were transferred out of the Tornado Cash mixer.
As covered by U.Today previously, the hackers attacked the Inverse Finance decentralized lending/borrowing protocol earlier this month; losses eclipsed $1.25 million in equivalent.