Jun 28
How did hackers steal 3,000ETH, NFT lending platform XCarnival was attacked
XCarnival
XCarnival is the NFT lending platform, that allows NFT owners to pledge their NFT art or collectibles in exchange for cryptocurrency or fiat currency.
How does NFT lending work? Platforms that support NFT lending allow holders to borrow money and set terms without an intermediary.
Borrowers can expect a loan of about 50 % of the value of the NFT, with interest rates ranging from 20 % to 80 %, depending on how popular the NFT is.
The appeal of DeFi agreements compared with traditional lenders is that they are simple, transparent and efficient.
NFT collateral assets are sent to a secure smart contract, which acts as an impartial, automated third party program to complete the lending process.
Lenders assess a collateral’s fair value, usually by looking at the asset’s past performance, sales history or floor value.
Once terms are agreed, the NFT transfers from the borrower’s wallet into an escrow account and the smart contract facilitates borrowing.
XCarnival was attacked and 3000 ETH stolen
On June 26, the NFT lending agreement XCarnival was hacked. The hackers gained 3,000 ETH coins (about $3.8 million), and the loss of the agreement could be much higher.
Xcarnival Platform Asset Address:
“XNFTProxy”: https://eth.tokenview.com/en/address/0xb14b3b9682990ccc16f52eb04146c3ceab01169a
“XETHProxy”: https://eth.tokenview.com/en/address/0xb38707e31c813f832ef71c70731ed80b45b85b2d
Hacker address:
https://eth.tokenview.com/en/address/0xca67615bb9a9cc093e13dee3de1ca55b55ab3586
How XCarnival was attacked:
1 The attacker
removed 120ETH from Tornado.Cash as “attack preparation”.
2. Subsequently, NFT BAYC #5110 was purchased at 91.65ETH on Opensea.
3 Create multiple attack contracts, transfer NFT, and implement the attack process. For example, the first attack exploits the contract 0xf7 to gain 1980ETH.
0xf70F691D30ce23786cfb3a1522CFD76D159AcA8d
0xbcf759e6889af3af5cdb02ddc5557aa525e7ed8b
0x3edf976df38f7d6273884b4066e3689ef547d816
0x7b5a2f7cd1cc4eef1a75d473e1210509c55265d8
0x234e4b5fec50646d1d4868331f29368fa9286238
4 This attack exploits a contract bug in the NFT lending platform, and according to Tokenview data, the attacker made a profit of at least 3000 ETH (approximately $3.8 million).
5 In the end, the attacker sold NFT BAYC #5110 at 85ETH in Opensea and finally retrieved 81.56ETH.
XCarnival official response
At 22:07 on June 26th, the XCarnival team tweeted that they had suspended their smart contracts and deposit and loan functions.
At 22:37:19, XCarnival started a conversation with the hackers. “Hi there, we have awared of our contractual vulnerability and we are contacting you in hopes of recovering this loss. If you’d like to have a conversation Will be highly appreciated. We can talk through contact@xcarnival.fi or transaction, thanks.”
By 1am on June 27th, XCarnival attackers were moving assets.
According to data on the Tokenview, at 01:12:29, the attacker sent 2,967 ETH (approximately $3.6 million) to the 0xCA new address. And 120 ETH were sent to Tornado. Cash in batches from 01:17:02 to 01:22:22.
According to Tokenview, after a series of negotiations, XCarnival has offered the attacker (0xb7cbb4d43f1e08327a90b32a8417688c9d0b800a) a reward of 1500 ETH and a clear immunity from legal action (if the attacker returns the stolen funds).
The attacker’s reads: “Great to hear — Funds will be returned — Please make an official statement -signed- by xCarnival CEO granting the owner of 0xb7 a 1500eth bounty and explicitly vetoing lawsuits (link here or tweet)”. Then the XCarnival team tweeted.
At 13:45:58, the attacker returned 1467 ETH to the wallet address provided by XCarnival(0 xc087629431256745e6e3d87b3ec14e8b42d47e48).
The transaction is routed from 0xCA back to 0xB7 and finally to XCarnival wallet 0xC08.
After the XCarnival attacker returned 1,467 ETH, a person , one person (0xfc5724c285213269cc53d6156e8d2fddbbcad626)who said he wanted to apply as mediator initiated a conversation with the XCarnival attacker, saying, “Hi sir, I appreciate your action, but I wona apply as a mediator in person to guarantee the deal is safety and valid ;)” There has been no response from the attackers.
Tokenview keeps track of XCarnival events for the most comprehensive data parsing.
