XCarnival Hacked, Around $3.8M Stolen, $1.8M Returned by the Hacker

Share IT

Key Takeaway

  • XCarnival was exploited in a flurry of transactions on June 26, with a loss of $3.8M.

Below is a quick overview of this project.

XCarnival has described itself as the top Player of Metaverse Asset Bank.

What was the Team’s Response to the Attack?

Around 7:37 PM IST, On June 26: XCarnival team tweeted that their all Smart contracts are suspended, All deposit and borrowing actions are temporarily disabled.

Around 6:35 AM, On June 27: XCarnival Team confirmed that the Hacker attacked the platform on June 26, 2022. XCarnival officials also announced to give 0xb7CBB4d43F1e08327A90B32A8417688C9D0B800a owner 1500 ETH bounty. At the same time, XCarnival officials will explicitly exempt the person from legal action.

How did the Attack occur?

This hack was made possible by allowing a withdrawn pledged NFT to be still used as the collateral, which the Hacker then exploits to drain assets from the pool.

Xcarnival Hacked, Around $3.8M Stolen, $1.8M Returned By The Hacker

Here is the link to one of the Hacker’s Transaction: 


Hacker withdrew from the initial fund (120 ETH) to launch the hack from Tornado Cash. Below is the screenshot by PeckShield Team on how the Hacker performed the Attack.

Xcarnival Hacked, Around $3.8M Stolen, $1.8M Returned By The Hacker

So, here is a quick overview of the steps performed by the Hacker:

  • Step 1: Hacker firstly generates multiple contract addresses and then goes to call the XNFT contract.
  • Step 2: Then he pledges the NFT and generates an orderld.
  • Step 3: Then he withdraws the NFT, and this operation is performed multiple times.
  • Step 4: Then he calls the XToken contract’s borrow() through the previous contract address as well as the orderld In the call to borrow(), but there is no judgment that the NFT has been withdrawn
  • Step 5: So Hacker borrowed and did not pay it back, then keeps repeating this operation.

What is Team doing now?

As of now, XCarnival Team has confirmed that the Hacker has returned 1,467 ETH, and the security agencies have tentatively determined the Hacker’s geographic location.

Xcarnival Hacked, Around $3.8M Stolen, $1.8M Returned By The Hacker

Meanwhile, CertiK Team is rechecking the XCarnival contract code, and the PeckShield team is checking the re-audit lending contract code issue.

As crypto hacks are increasing nowadays, our readers should stay alert.

Here are some latest hacked Projects our readers should know about:

  1. Ronin Bridge Hacked, Around $625M Lost, Biggest DeFi Hack in the History
  2. Harmony Hacked, Around $100M Stolen, $1M Bounty for the Return of Funds
  3. Beanstalk Farms Hacked, Around $80M Lost, $250K into Ukraine Crypto Donation
  4. Rari Capital Hacked, Around $80M Lost
Share IT
Yash Kamal Chaturvedi
Yash Kamal Chaturvedi

Btech Computer Science, Maharshi Dayanand University, Rohtak (2023)

Get Daily Updates

Crypto News, NFTs and Market Updates

Can’t find what you’re looking for? Type below and hit enter!