- XCarnival was exploited in a flurry of transactions on June 26, with a loss of $3.8M.
Below is a quick overview of this project.
XCarnival has described itself as the top Player of Metaverse Asset Bank.
What was the Team’s Response to the Attack?
Around 7:37 PM IST, On June 26: XCarnival team tweeted that their all Smart contracts are suspended, All deposit and borrowing actions are temporarily disabled.
Around 6:35 AM, On June 27: XCarnival Team confirmed that the Hacker attacked the platform on June 26, 2022. XCarnival officials also announced to give
0xb7CBB4d43F1e08327A90B32A8417688C9D0B800a owner 1500 ETH bounty. At the same time, XCarnival officials will explicitly exempt the person from legal action.
How did the Attack occur?
This hack was made possible by allowing a withdrawn pledged NFT to be still used as the collateral, which the Hacker then exploits to drain assets from the pool.
Here is the link to one of the Hacker’s Transaction:
Hacker withdrew from the initial fund (120 ETH) to launch the hack from Tornado Cash. Below is the screenshot by PeckShield Team on how the Hacker performed the Attack.
So, here is a quick overview of the steps performed by the Hacker:
- Step 1: Hacker firstly generates multiple contract addresses and then goes to call the
- Step 2: Then he pledges the NFT and generates an
- Step 3: Then he withdraws the NFT, and this operation is performed multiple times.
- Step 4: Then he calls the
borrow()through the previous contract address as well as the
orderldIn the call to
borrow(), but there is no judgment that the NFT has been withdrawn
- Step 5: So Hacker borrowed and did not pay it back, then keeps repeating this operation.
What is Team doing now?
As of now, XCarnival Team has confirmed that the Hacker has returned 1,467 ETH, and the security agencies have tentatively determined the Hacker’s geographic location.
Meanwhile, CertiK Team is rechecking the XCarnival contract code, and the PeckShield team is checking the re-audit lending contract code issue.
As crypto hacks are increasing nowadays, our readers should stay alert.
Here are some latest hacked Projects our readers should know about: