Ethereum liquidity provider XCarnival has offered a hacker 1,500 ETH as a bounty in addition to exemption from legal proceedings.
XCarnival immediately took note of the attack, suspending smart contracts, deposits, and borrowing features of the protocol until identifying the internal bug which made the hack possible.
XCarnival has so far recovered 1,467 ETH from an exploit that has bled 3,087 ETH ($3.8 million USD).
Reports from blockchain investigator Peckshield first took notice of the hack – which happened on June 26 – which took the form of a string of transactions which drained the protocol.
1/ @XCarnival_Lab was exploited in a flurry of txs (one hack tx: https://t.co/LUcxSU9UQn),
leading to the gain of 3,087 ETH (~$3.8M) for the hacker (The protocol loss may be larger). pic.twitter.com/mmGw5PQfbt— PeckShield Inc. (@peckshield) June 26, 2022
XCarnival was attacked on June 26, 2022 and suspended part of the protocol. XCarnival officials will give 0xb7CBB4d43F1e08327A90B32A8417688C9D0B800a owner 1500 ETH bounty.
At the same time, XCarnival officals explicitly exempt the person from legal action.By XCarnival team
— XCarnival (@XCarnival_Lab) June 27, 2022
Following an investigation, it emerged that the hack was made possible by allowing a withdrawn pledged NFT to be still used as the collateral, which is then exploited by the hacker to drain assets from the pool.
Recommended
Peckshield has noted that the hacker has used a previously withdrawn pledged NFT from the Bored Ape Yacht Club collection as collateral for the exploit.
3/ The initial fund (120 ETH) to launch the hack is withdrawn from @TornadoCash. Currently 3,087 ETHs of the illicit gains still stay in the hacker’s account https://t.co/93lYvSLooe pic.twitter.com/eaRwcJsPnr
— PeckShield Inc. (@peckshield) June 26, 2022
Screenshots of the hacker’s wallet showed that it was in possession of 3,087 ETH after the hack, while remaining funds seemed to be siphoned successfully. As of writing, the hacker’s wallet holds 0 ETH.
XCarnival has announced plans to reveal further details regarding a post-mortem of the incident soon.
Talk to the experts at Run the Chain for Content Creation
Get high quality blogs, threads, videos and GIFs that accurately communicate your project’s USPs and ethos with Run The Chain’s Content Creation services.
To find out more, click here.
