Leading NFT lending pool XCarnival suffers a 3,087 ETH, approximately $3.8M worth of exploit. The hacker has since returned almost 50% of the stolen ETH to the platform, around 1,467 ETH.
The hacker pledged one NFT, Bored Ape #5110, as security for a loan. The Bored Ape used as collateral should typically be locked up until the debt is paid up.
But the hacker was able to retrieve the Bored Ape without paying back the loan and then used it to get a new loan by exploiting a vulnerability. This action was repeated many times, emptying 3,087 ETH from the protocol.
XCarnival then communicated with the hacker on-chain and asked for the funds to be returned.
The platform first offered a $300,000 award as restitution for the stolen funds. The hacker later accepted XCarnival’s updated offer of giving them half of the ETH.
The initial funding for the hack, around 120 ETH, was taken out via Tornado Cash. Security organizations and the police have since then worked closely to find the hacker’s geographical location.Â
However, XCarnival did agree not to take legal action against the hacker in exchange for returning half of the stolen money.
In an effort to protect users’ assets, XCarnival promptly suspended the contract as well as the deposit and borrowing features while examining the hacker’s ETH address.
Exploited platforms are now rewarding hackers who steal from them with big bounties. Currently, Harmony Protocol is offering a $1M bounty to the hacker which will be given only if the hacker returns the funds and shares exploit information.
