On Sunday, an exploit cost XCarnival, an NFT lending pool, 3,087 ETH. The hacker has refunded half of the money, and the protocol has promised not to pursue legal action.
According to on-chain security researcher and ZenGo co-founder Tal Be’ery, the hacker who attacked NFT lending pool XCarnival for 3,087 ETH ($3.8 million) has returned half of the cash.
XCarnival, as an NFT lending pool, let users to borrow dollars by utilizing their collectibles as collateral for loans. On Sunday, XCarnival experienced a security breach that allowed an exploiter to steal $3.8 million in ETH from the network.
“The core issue was a vulnerability that allowed the attacker to borrow multiple times against the same NFT collateral,”
To borrow funds, the hacker put one NFT, Bored Ape #5110, as collateral. Normally, the process should lock up the Bored Ape used as collateral until the loan is repaid.
However, the hacker was able to remove the Bored Ape collateral without repaying the loan and use it to obtain another loan. This activity was done numerous times, draining the protocol of 3,087 ETH.
Following the event, XCarnival approached the hacker via on-chain communications, requesting the funds be returned. In compensation for the stolen monies, the NFT lending pool first offered a $300,000 prize. XCarnival then boosted its offer to half the money stolen, which the hacker accepted.
As at the time of publication, the hacker’s wallet contained 1,500 ETH ($1.8 million). The remaining 120 ETH withdrawn from Tornado Cash in order to carry out the exploit have been returned.
In exchange for returning half of the stolen funds, the NFT lender committed not to pursue any legal action against the hacker.
It is becoming increasingly common for projects to pay bug bounties to hackers who steal from them. This happened, for example, to the exploiter who stole 20 million Optimism tokens from Wintermute earlier in June and later restored 17 million of those coins, with the two parties considering it even.
Harmony also just announced a $1 million reward for the recovery of the $100 million stolen on June 23 via its Horizon bridge protocol. Harmony’s offer also includes a commitment not to press prosecution against the hackers.
DISCLAIMER: The Information on this website is provided as general market commentary and does not constitute investment advice. We encourage you to do your own research before investing.
Join CoinCu Telegram to keep track of news: https://t.me/coincunews