- Ethereum-based lending protocol XCarnival was hit with a $3.8 million exploit, confirming a bad actor stole 3,087 ETH.
- Blockchain security firm Peck Shield revealed that the hacker exploited a vulnerability on the platform’s smart contract.
- Analysts are bullish on Ethereum price, predicting a rally in the altcoin with a target of $1,730.
Ethereum-based protocol XCarnival was the target of a hack where 3,087 Ether was drained out of the liquidity provider. The lending aggregator suffered an exploit where bad actors pulled $3.8 million out of XCarnival.
Ethereum based lending aggregator suffers exploit
Ethereum ecosystem’s liquidity provider XCarnival was the target of an exploit, with an amount of Ethereum worth $3.8 million being drained out of the protocol. Peckshield, a blockchain investigator firm, noticed the hack as it came across a stream of transactions that eventually drained 3,087 ETH out of the protocol.
XCarnival allows users to borrow tokens, without selling their NFTs. Users can deposit their cryptocurrencies on the Ethereum-based protocol and earn rewards without selling their digital art or collectibles.
The Ethereum liquidity provider was attacked on June 26 and part of the protocol was suspended. The officials promised the attacker 0xb7CBB4d43F1e08327A90B32A8417688C9D0B800a a 1500 Ether bounty for returning part of the funds.
XCarnival was attacked on June 26, 2022 and suspended part of the protocol. XCarnival officials will give 0xb7CBB4d43F1e08327A90B32A8417688C9D0B800a owner 1500 ETH bounty.— XCarnival (@XCarnival_Lab) June 27, 2022
At the same time, XCarnival officals explicitly exempt the person from legal action.
By XCarnival team
The protocol exempted the attacker from legal action, and negotiated a deal. The platform had a bug, and after withdrawal of the collateralized NFT the orderID was still available for loan request. The hacker funded his account from Tornado, a platform that improves transaction privacy by breaking the on-chain link between source and destination addresses.
The attacker then bought Bored Ape Yacht Club #5110 from OpenSea, the peer-to-peer NFT marketplace. The attacker borrowed funds several times and drained out the protocol, with the use of a single NFT, but the bugged xNFT contract didn’t revoke the credential after withdrawing.
Bug in the contract of XCarnival
@BenWAGMI, the co-founder of Goplus Security, told his followers that on XCarnival, collateral was still valid after withdrawing it and this naive bug was caught by a bad actor.
12) Summary: Collateral is still valid after withdrawing. This is a very simple & naive bug in contract implementation.— ₿en (@BenWAGMI) June 26, 2022
The following pic is the clear call stack in those intertwined internal transactions. It could help if you want to analyse without tools. pic.twitter.com/vo2uQ07u2v
Ethereum stolen in exploit, returned by attacker
The XCarnival team confirmed that the 1,467 ETH was returned by the hacker, after accepting the bounty offer. Officials engaged in multiple rounds of negotiations with the attackers, to redeem the assets. The police and several involved agencies carried out in-depth cooperation to initially determine the location of the attacker’s geographical location.
This is not the first instance in which funds were returned partially. Hackers in DeFi exploits are known to release funds in exchange for a bounty, treating the attack as a “service” and escaping legal action.
Harmony exploit rages as attackers mix $36 million of stolen funds
Harmony Protocol, an open blockchain, was recently attacked for $100 million in altcoins. In a new update, security firms have confirmed that attackers have started laundering funds. $36 million out of 100 was sent to Tornado cash, a mixing service.
1/ The Harmony team has identified a theft occurring this morning on the Horizon bridge amounting to approx. $100MM. We have begun working with national authorities and forensic specialists to identify the culprit and retrieve the stolen funds.— Harmony (@harmonyprotocol) June 23, 2022
Attackers have sent the funds to the mixer in three separate transactions. A total of 30,000 Ether from the June 23 hack was sent to Tornado cash. The destination of the funds is currently unknown as the mixing service helped conceal the origin of the assets by pooling a significant amount of coins in a single pool and “mixing.”
Tornado cash has emerged as a common point in several DeFi exploits, where attackers bring their funds to mix and conceal origins, therefore successfully laundering money from stolen crypto.
Ethereum price could rally to $1,730
FXStreet analysts evaluated the Ethereum price chart, predicting a rally in the altcoin. Akash Girimath, a leading crypto analyst at FXStreet, believes Ethereum price is grappling with a significant resistance barrier at $1,224.
Ethereum price could move swiftly beyond the confluence and start a rally to the $1,730 hurdle, which would represent a 35% breakout.
Ethereum Perpetual Futures chart
FXStreet analysts have predicted where Ethereum price is headed in the currently price rally. For more information, watch this video:
Information on these pages contains forward-looking statements that involve risks and uncertainties. Markets and instruments profiled on this page are for informational purposes only and should not in any way come across as a recommendation to buy or sell in these assets. You should do your own thorough research before making any investment decisions. FXStreet does not in any way guarantee that this information is free from mistakes, errors, or material misstatements. It also does not guarantee that this information is of a timely nature. Investing in Open Markets involves a great deal of risk, including the loss of all or a portion of your investment, as well as emotional distress. All risks, losses and costs associated with investing, including total loss of principal, are your responsibility. The views and opinions expressed in this article are those of the authors and do not necessarily reflect the official policy or position of FXStreet nor its advertisers. The author will not be held responsible for information that is found at the end of links posted on this page.
If not otherwise explicitly mentioned in the body of the article, at the time of writing, the author has no position in any stock mentioned in this article and no business relationship with any company mentioned. The author has not received compensation for writing this article, other than from FXStreet.
FXStreet and the author do not provide personalized recommendations. The author makes no representations as to the accuracy, completeness, or suitability of this information. FXStreet and the author will not be liable for any errors, omissions or any losses, injuries or damages arising from this information and its display or use. Errors and omissions excepted.
The author and FXStreet are not registered investment advisors and nothing in this article is intended to be investment advice.