How did hackers steal 3,000ETH, NFT lending platform XCarnival was attacked
XCarnival is the NFT lending platform, that allows NFT owners to pledge their NFT art or collectibles in exchange for cryptocurrency or fiat currency.
How does NFT lending work? Platforms that support NFT lending allow holders to borrow money and set terms without an intermediary.
Borrowers can expect a loan of about 50 % of the value of the NFT, with interest rates ranging from 20 % to 80 %, depending on how popular the NFT is.
The appeal of DeFi agreements compared with traditional lenders is that they are simple, transparent and efficient.
NFT collateral assets are sent to a secure smart contract, which acts as an impartial, automated third party program to complete the lending process.
Lenders assess a collateral’s fair value, usually by looking at the asset’s past performance, sales history or floor value.
Once terms are agreed, the NFT transfers from the borrower’s wallet into an escrow account and the smart contract facilitates borrowing.
XCarnival was attacked and 3000 ETH stolen
On June 26, the NFT lending agreement XCarnival was hacked. The hackers gained 3,000 ETH coins (about $3.8 million), and the loss of the agreement could be much higher.
Xcarnival Platform Asset Address:
XCarnival Exploiter | ETH Address: 0xb7cbb4d43f1e08327a90b32a8417688c9d0b800a / Tokenview Block…
Tokenview ETH blockchain explorer to search address balance, address hash 0xb7cbb4d43f1e08327a90b32a8417688c9d0b800a
How XCarnival was attacked:
1 The attacker
XCarnival Exploiter | ETH地址：0xb7cbb4d43f1e08327a90b32a8417688c9d0b800a 区块链浏览器查询区块地址余额，地址哈希，历史交易记录
Tokenview ETH 区块链浏览器查询链上地址数据包括地址余额，地址哈希 0xb7cbb4d43f1e08327a90b32a8417688c9d0b800a
removed 120ETH from Tornado.Cash as “attack preparation”.
2. Subsequently, NFT BAYC #5110 was purchased at 91.65ETH on Opensea.
3 Create multiple attack contracts, transfer NFT, and implement the attack process. For example, the first attack exploits the contract 0xf7 to gain 1980ETH.
4 This attack exploits a contract bug in the NFT lending platform, and according to Tokenview data, the attacker made a profit of at least 3000 ETH (approximately $3.8 million).
5 In the end, the attacker sold NFT BAYC #5110 at 85ETH in Opensea and finally retrieved 81.56ETH.
XCarnival official response
At 22:07 on June 26th, the XCarnival team tweeted that they had suspended their smart contracts and deposit and loan functions.
At 22:37:19, XCarnival started a conversation with the hackers. “Hi there, we have awared of our contractual vulnerability and we are contacting you in hopes of recovering this loss. If you’d like to have a conversation Will be highly appreciated. We can talk through email@example.com or transaction, thanks.”
By 1am on June 27th, XCarnival attackers were moving assets.
According to data on the Tokenview, at 01:12:29, the attacker sent 2,967 ETH (approximately $3.6 million) to the 0xCA new address. And 120 ETH were sent to Tornado. Cash in batches from 01:17:02 to 01:22:22.
According to Tokenview, after a series of negotiations, XCarnival has offered the attacker (0xb7cbb4d43f1e08327a90b32a8417688c9d0b800a) a reward of 1500 ETH and a clear immunity from legal action (if the attacker returns the stolen funds).
The attacker’s reads: “Great to hear — Funds will be returned — Please make an official statement -signed- by xCarnival CEO granting the owner of 0xb7 a 1500eth bounty and explicitly vetoing lawsuits (link here or tweet)”. Then the XCarnival team tweeted.
At 13:45:58, the attacker returned 1467 ETH to the wallet address provided by XCarnival(0 xc087629431256745e6e3d87b3ec14e8b42d47e48).
The transaction is routed from 0xCA back to 0xB7 and finally to XCarnival wallet 0xC08.
After the XCarnival attacker returned 1,467 ETH, a person , one person (0xfc5724c285213269cc53d6156e8d2fddbbcad626)who said he wanted to apply as mediator initiated a conversation with the XCarnival attacker, saying, “Hi sir, I appreciate your action, but I wona apply as a mediator in person to guarantee the deal is safety and valid ;)” There has been no response from the attackers.
Tokenview keeps track of XCarnival events for the most comprehensive data parsing.