In a quick-paced development, XCarnival, describing itself as a Metaverse Asset Bank, lost over 3,087 ETH to a hacker and negotiated the return of half of the funds less than 24 hours after the incident.
Exploiting a flaw in its smart contract, the attacker used a Bored Ape Yacht Club NFT, which was already withdrawn after being pledged, as collateral to borrow from the platform. The same transaction was repeated several times until a watchdog alerted XCarnival, which promptly paused the operations – smart contracts, lending, and borrowing.
Alert from Watchdog
The platform for which the loss can be much higher was alerted by blockchain security and data analytics company PeckShield. The initial amount used for the attack was 120 ETH that the hackers withdrew from Tornado Cash, PeckShield said.
Subsequently, the watchdog provided more details in a series of tweets as to how the hack was pulled off.
“The hack is made possible by allowing a withdrawn pledged NFT to be still used as the collateral, which is then exploited by the hacker to drain assets from the pool,” it said in one of its tweets.
Nearly 12 hours after the attack, XCarnival asked the hacker to return the stolen funds, offered a 1,500 ETH bounty, and promised exemption from legal action. As per blockchain data, the exploiter accepted the offer after a bounty negotiation that began with 250 ETH and settled at 1,500 ETH.
Theft and Scam Prevention
In a similar incident, Hollywood personality Seth Green’s Bored Ape #8398, stolen in a phishing attack on May 17, was negotiated for the return. Green reportedly paid 165 ETH (approx. $300k) for the NFT to its new owner, who had bought it for $200k in good faith, unaware that it was a stolen one.
Fred Simian, as Green had named the NFT character, was to be used as the main character in one of his upcoming shows – White Horse Tavern.
The NFT trade skyrocketed from under $200 million in 2020 to $40 billion in 2021. Consequently, instances of such theft and plagiarism have also increased in this space. Early this month, the CEO of one of the largest NFT marketplaces – OpenSea – Derin Finzer, outlined the need for Trust and Safety investments in areas such as theft and scam prevention, among others.