XCarnival Exploited For $3.8 Million, But Negotiates Recovery of 50% of Stolen Funds

avatar

EthereumLendingProtocolXCarnivalendures3.8MExploitation.png(Source)

Evening

So just as the crypto world was still stunned by recent $100 million mega hack of Harmony Horizon Bridge, there have been yet another exploit although a bit smaller in magnitude. XCarnival, an Ethereum based NFT lending protocol have been hacked yesterday for 3,087 ETH worth around $3.8 million.

What Happened?
Apparently the perpetrator exploited a flaw in XCarnival's lending protocol, that allowed him to use already withdrawn pledged NFT to be used as collateral. The hacker used already withdrawn pledged Bored Ape Yacht Club NFT as collateral. After discovering the vulnerability in protocol, it was exploited multiple times over a short period of time.

But blockchain security firm, Peckshield saved the day, as after noticing the malicious transactions they informed XCarnival about the exploit. XCarnival acted quickly and suspended the protocol, but hacker had already managed to siphon 3,087 ETH.

1/ @XCarnival_Lab was exploited in a flurry of txs (one hack tx: https://t.co/LUcxSU9UQn),
leading to the gain of 3,087 ETH (~$3.8M) for the hacker (The protocol loss may be larger). pic.twitter.com/mmGw5PQfbt

— PeckShield Inc. (@peckshield) June 26, 2022

Funds Recovery
Soon after hack, XCarnival went into negotiations with hacker, offering him bug bounty reward in return for stolen Ethereum and also ensured no legal action. Bug bounty offers started from 250 Eth and in the end a bargain was struck at 1500 Eth.

Simply speaking the hacker turned out to be a white hat one and XCarnival managed to recover more than 50% of the stolen funds. But all thanks to Peckshield for timely warning regarding the hack, else the magnitude of exploit would have been much higher.

image.png

I call this a win win for both XCarnival and the white hat hacker. First XCarnival was able to carter the bleeding pretty soon due to in warning from Peckshield and second they managed to recover more than 50% of the stolen funds. If the hacker didn't turned out a white hat, the chances of recovering any part of stolen funds were pretty slim. As far as hacker is concerned, 1500 Eth bounty is not a bad. Certainly, not bad for a few hours of exploit.

image.png

image.png

Posted Using LeoFinance Beta



0
0
0.000
3 comments
avatar

Well if the hacker agreed to return some of the funds only after the hack was discovered by someone else that doesn't really make him a white hat, and a white hat would not negotiate a bug bounty while he has all the stolen funds in his wallet, he should have returned the funds first and then accept a bug bounty...Also, a white hat that discovers a vulnerability goes and reports it and does not steal in the first place.

Voted on ListNerds!

0
0
0.000
avatar

This post has been manually curated by @bhattg from Indiaunited community. Join us on our Discord Server.

Do you know that you can earn a passive income by delegating your Leo power to @india-leo account? We share 100 % of the curation rewards with the delegators.

Please contribute to the community by upvoting this comment and posts made by @indiaunited.

0
0
0.000