NFTs lending platform XCarnival was hacked for over $3 million on June 26, consequently resulting in the suspension of the smart contract. However, the hacker has accepted a bounty offer to return part of the stolen funds.
XCarnival recovers half of stolen funds
Blockchain security firm PeckShield explained that the hacker manipulated the protocol by using a withdrawn pledged NFT as collateral to borrow more funds. After several repeated transactions, the hacker gained 3,087 ETH, an equivalent of $3.8 million at the time of the incident. PeckShield said the protocol loss might be larger.
XCarnival confirmed that attack in a tweet, noting that deposits and borrowing have been temporarily suspended. The team negotiated with the hacker to return half of the stolen funds while keeping the rest as a bounty. They also offered to exempt the person from legal action, which the hacker agreed to.
The hacker held on to 1,500 ETH as a bounty and returned 1,467 ETH to XCarnival officials.
Hackers have no chill
The crypto industry is still hit with an increasing record of protocol exploits and scams despite the crypto winter.
Less than a week ago, hackers exploited a vulnerability on Harmony’s Horizon bridge to steal about $100 million in Ethereum, Binance Coin, Tether, USD Coin, and Dai, which were all later swapped for ETH on decentralized exchanges, a “commonly seen technique with these hacks,” according to Elliptic.
Earlier in June, Osmosis liquidity pool was drained of $5 million. Shortly after the platform began investigating the source of the attack, about $2 million of the stolen funds were recovered from two members of FireStack, one of the biggest validators on Osmosis.