Ethereum lending platform XCarnival confirmed a bad actor stole $3.8 million or 3,087 ETH. According to a report from on-chain security firm Peck Shield, a hacker exploited a vulnerability on the protocol’s smart contract by borrowing ETH and creating “multiple pledge orders to pledge BAYC (Bored Ape Yacht Club NFTs) many times”.
XCarnival operates as a non-fungible token (NFT) lending pool. The platform enables NFT holders to deposit their assets in exchange for liquidity. This process involves three smart contracts: an NFT manager, a P2Controller to manage lending restrictions, and fund storage, as stated by another security firm Go+ Security.
The hacker bought item 5110 from the popular Bored Ape Yacht Club NFT collection on OpenSea. Later, he deposited this asset on XCarnival and conducted an attack to “use the same NFT for borrowing”.
In other words, the attacker was able to pledge the NFT, borrowed ETH, and then remove the NFT without paying back the loan. The bad actor completed this process several times until the pool was drained.
Go+ Security explained that the hacker created a Master smart contract and several “slaves” smart contracts to conduct the attack:
Then Slave 5338 withdrew the NFT and sent it back to Master, who then repeated this process with other Slaves. In this way they created many orderIDs, which can later be used as lending credentials. But bugged xNFT contract didn’t revoke the credential after withdrawing.
XCarnival’s operated with a vulnerability on its smart contracts, mentioned above, which enable the attack if the user stays within a certain. Go+ Security added on the attack and the smart contract vulnerability: “Collateral is still valid after withdrawing. This is a very simple & naive bug in contract implementation.”
In light of the successful attack, the Ethereum-based NFT lending protocol decided to offer the hacker a deal.
Ethereum Platform Makes Deals With Its Attacker
According to its official Twitter account, the XCarnival offered the hacker a 1,500 ETH or $1.8 million bounty. Half the stolen funds. The attacker only needed to return the other half and they got to keep the money and suffer no legal consequences.
The team behind the platform confirmed that the hacker agreed to the terms. Half the stolen funds were returned to the pool. The Ethereum lending platform claims “security agencies have tentatively determined the hacker’s geographic location”.
This statement seems to hint at possible legal consequences for the attacker, but the team behind this project is yet to provide more information.
— Tal Be’ery (@TalBeerySec) June 27, 2022
This is not the first time a hacker agrees to return a portion or the full amount of the stolen funds. Some hackers attack decentralized finance (DeFi) platforms and often held the money hostage until they receive payment for what they considered to be a “service”. Other projects are less lucky and pay the ultimate price.
At the time of writing, Ethereum (ETH) trades at $1,180 with a 3% loss in the last 24 hours.