A quick-moving development saw XCarnival, which calls itself a Metaverse Asset Bank, negotiate the restoration of half of the 3,087 ETH it lost to a hacker in less than 24 hours.
By taking advantage of a bug in its smart contract, the attacker borrowed money from the platform using a Bored Ape Yacht Club NFT that had already been withdrawn after being pledged. The identical transaction was repeatedly carried out until a watchdog alerted XCarnival, which immediately halted the loan, borrowing, and smart contract operations.
Alert from Watchdog
PeckShield, a blockchain security and data analytics business, informed users to the platform for whom the loss may be significantly bigger. 120 ETH were initially taken out of Tornado Cash by the hackers and utilized for the attack, according to PeckShield.
The watchdog then revealed more information about how the breach was carried out in a series of tweets.
It explained the vulnerability in one of its tweets: “The hack is made possible by allowing a withdrawn pledged NFT to be still utilized as the collateral, which is then abused by the hacker to drain assets from the pool.”
Almost 12 hours after the incident, XCarnival demanded the hacker restore the funds that had been taken, offered a 1,500 ETH reward, and pledged not to take any more legal action. Blockchain data shows that the exploiter accepted the offer after haggling over a prize that started at 250 ETH and ended at 1,500 ETH.
Fraud and Theft Prevention
Similar circumstances led to negotiations for the return of Hollywood star Seth Green’s Bored Ape #8398, which had been stolen on May 17 during a phishing assault. Green apparently paid the NFT’s new owner 165 ETH (about $300k), who had purchased it for $200k in good faith but without realizing that it was a stolen one.
Fred Simian, as Green had named the NFT character, was to be used as the main character in one of his upcoming shows – White Horse Tavern.
From less than $200 million in 2020 to $40 billion in 2021, the NFT trade soared. As a result, incidences of such theft and plagiarism have grown in this area as well. Derin Finzer, CEO of OpenSea, one of the biggest NFT markets, spoke on the importance of trust and safety measures at the beginning of this month. These investments should go toward preventing fraud and theft, among other things.
In this occurrence, XCarnival’s committed NFT and other on-chain assets were unaffected, and at this time, its market operations and product development are proceeding properly. In order to review all of its contract code, XCarnival will keep inviting additional security auditors and members of the white hat community. As everyone is aware, Certik has already inspected every contract for XCarnival.