Key Takeaway
- XCarnival was exploited in a flurry of transactions on June 26, with a loss of $3.8M.
Below is a quick overview of this project.
XCarnivalย has described itself as the top Player of Metaverse Asset Bank.
What was the Team’s Response to the Attack?
Around 7:37 PM IST, On June 26:ย XCarnival teamย tweetedย that their all Smart contracts are suspended, All deposit and borrowing actions are temporarily disabled.
Around 6:35 AM, On June 27:ย XCarnival Teamย confirmedย that the Hacker attacked the platform on June 26, 2022. XCarnival officials also announced to giveย 0xb7CBB4d43F1e08327A90B32A8417688C9D0B800a
ย ownerย 1500 ETHย bounty. At the same time, XCarnival officials will explicitly exempt the person from legal action.
How did the Attack occur?
This hack was made possible by allowing a withdrawn pledged NFT to be still used as the collateral, which the Hacker then exploits to drain assets from the pool.
Here is the link to one of the Hacker’s Transaction:ย
https://etherscan.io/tx/0x51cbfd46f21afb44da4fa971f220bd28a14530e1d5da5009cfbdfee012e57e35
Hacker withdrew from the initial fund (120 ETH) to launch the hack from Tornado Cash. Below is the screenshot by PeckShield Team on how the Hacker performed the Attack.
So, here is a quick overview of the steps performed by the Hacker:
- Step 1: Hacker firstly generates multiple contract addresses and then goes to call the
XNFT
contract. - Step 2: Then he pledges the NFT and generates an
orderld
. - Step 3: Then he withdraws the NFT, and this operation is performed multiple times.
- Step 4: Then he calls the
XToken
contract’sborrow()
through the previous contract address as well as theorderld
In the call toborrow()
, but there is no judgment that the NFT has been withdrawn - Step 5: So Hacker borrowed and did not pay it back, then keeps repeating this operation.
What is Team doing now?
As of now, XCarnival Team hasย confirmedย that the Hacker has returned 1,467 ETH, and the security agencies have tentatively determined the Hacker’s geographic location.
Meanwhile, CertiK Team is rechecking the XCarnival contract code, and the PeckShield team is checking the re-audit lending contract code issue.
As crypto hacks are increasing nowadays, our readers should stay alert.
Here are some latest hacked Projects our readers should know about: