XCarnival hacker accepts reward – The Cryptonomist

Author of the hack of XCarnival, a metaverse asset loan aggregator, has accepted a $1.85 million reward to return the stolen funds.

XCarnival hacker accepts reward

The hacker behind the June 26 theft of the systems of the metaverse asset loan aggregator, XCarnival, has agreed to return part of the stolen funds upon payment of a $1.85 million reward. The loan aggregator for NFTs and metaverse, had already recovered 50% of the $3.8 million lost and has now decided on a ransom payment to receive the remainder.

According to initial reconstructions made by the company Peckshield, tasked with investigating the theft, a hacker exploited a flaw in the smart contract that also allowed a pledged asset to be used as collateral, in this case a Bored Ape Yacht Club NFT. 

1/ @XCarnival_Lab was exploited in a flurry of txs (one hack tx: https://t.co/LUcxSU9UQn),
leading to the gain of 3,087 ETH (~$3.8M) for the hacker (The protocol loss may be larger). pic.twitter.com/mmGw5PQfbt

— PeckShield Inc. (@peckshield) June 26, 2022

A statement from the investigative firm reads:

“The hack is made possible by allowing a withdrawn pledged NFT to be still used as the collateral, which is then exploited by the hacker to drain assets from the pool”.

XCarnival was attacked on June 26, 2022 and suspended part of the protocol. XCarnival officials will give 0xb7CBB4d43F1e08327A90B32A8417688C9D0B800a owner 1500 ETH bounty.
At the same time, XCarnival officals explicitly exempt the person from legal action.

By XCarnival team

— XCarnival (@XCarnival_Lab) June 27, 2022

In a statement issued shortly after the attack, XCarnival said:

“Currently our smart contract has been suspended, all deposit and borrowing actions are temporarily not supported, please stay tuned, we will confirm the situation as soon as possible”.

How did the theft affect the platform?

After the news of the theft, XCarnival’s native token lost 10%. The company allows its users lavish earnings, thanks to NFT loans and other digital assets.

Initially, the company had offered the reward of $300,000 but the hacker raised again with the demand of 1,500 ETH accepted by XCarnival. According to Etherscan’s latest findings, the hacker has already returned about 1,500 ETH of the 1,800 still in its possession.

Evidently, the hackers seem to be aggressively targeting digital asset lending companies, considering that ten days ago, it was the turn of Inverse Financial, a DeFi company that specializes in cryptocurrency lending, to suffer a hacking attack that netted about $1.26 million for the perpetrator. 

1/ @InverseFinance was exploited in https://t.co/OaCemQfWug,
leading to the gain of ~$1.26M for the hacker (The protocol loss may be larger).

— PeckShield Inc. (@peckshield) June 16, 2022

The same company had already suffered a hacker attack that had taken about $15 million from the company’s accounts.