Ethereum: he steals $3 million in ETH… but returns half of it – The remorse of the XCarnival hacker

Remorseful Hacker – Almost every week, the ecosystem Challenge knows its share of scams and hacks of all kinds. However, in some cases, it ends well, with a return of the stolen funds. This is what has just happened as part of the XCarnival protocol hack.

Hack XCarnival: 3,000 ETH stolen

XCarnival is a protocol of lending evolving on blockchains, Ethereum and BNB Smart Chain. This stands out from the usual lending protocols.

In effect, XCarnival has the particularity of offering loans in exchange for the collateralisation of an NFT. Therefore, NFT holders can deposit them as collateral in order to take out a decentralized loan.

Conversely, the usual lending protocols require a deposit of collateral in cryptocurrencies, whether ETH, BTC or stablecoins.

Unfortunately, on June 26, the XCarnival teams announced the suspension of their smart contract, blocked deposits and withdrawals.

XCarnival announces the suspension of its service.

Shortly after, the news falls: the protocol has been exploited and the attacker managed to steal more than 3,000 ETHfor a total nest egg of $3.4 million.

In practice, the attacker was able to exploit a flaw allowing him to make multiple loans with a single NFT.

To do this, he filed NFT Bored Ape Yacht Club #5510 on XCarnival. This deposit allowed him to make a first loan. Subsequently, he was able to withdraw the NFT without repaying the loan, due to the loophole.

He then repeated the operation until he had siphoned off more 3,087 ETH in the protocol pools.

>> Play it safe, register on FTX the reference of crypto exchanges (affiliate link) <<

Negotiations with the hacker

As often in this type of situation, the developers of the XCarnival protocol undertook to negotiate with the attacker.

Thus, the latter sent an on-chain message to the attacker’s address. XCarnival then offered him a reward of $300,000 in bug bounty, in exchange for the return of the funds.

“We would like to prepare $300,000 as a bug bounty for the monies taken and if you return the funds, we will not pursue the law enforcement actions. »

Message sent by XCarnival to attacker.
Message sent by XCarnival to attacker.

A proposal which, it would seem, did not really appeal to the striker. Conversely, he asked for a increase of this bounty to 1,500 ETH300 ETH having been deemed “too low”.

For its part, XCarnival is not really able to negotiate. Therefore, the latter had no choice but to accept the proposal at 1,500 ETH. A few exchanges ensued in which the attacker made sure that he would not be prosecuted.

Finally, on June 27, the attacker proceeded to return the remaining 1,467 ETH, pocketing a nice reward of more than a million dollars in the process.

XCarnival announces return of funds.
XCarnival announces return of funds.

Since this incident, XCarnival has been working with Certik to revise their flawed contract. In addition, the protocol has also announced that it is in contract with the company Peckshield in order to carry out a second audit of the code.

Not all protocols are so lucky

In some cases, exploited protocols are not as lucky as XCarnival. This is particularly the case of the blockchain harmonyof which the skyline bridge was attacked last week.

In total, the attacker managed to steal the equivalent of 100 million dollars in cryptocurrencies. Obviously, the protocol teams tried to get in touch with the attacker, offering him a reward of 1 million dollars for the return of the funds.

A proposal that he did not deign to raise, leaving the Harmony teams unanswered.

More recently, he finally made the choice to launder the funds. Thus, he began to massively transfer the stolen funds to the Tornado Cash protocol in order to cover his tracks.

Stay away from spammers and scammers of all stripes, avoid too-good-to-be-true offers like the plague, and get into the habit of showing healthy suspicion. On the other hand, also learn to place reasonable trust in respectable and recognized players in the ecosystem. The FTX platform falls without a shadow of a doubt into this second category. Come acquire and trade your first bitcoins and other cryptocurrencies by registering on FTX. You will benefit from a lifetime discount on your transaction fees (affiliate link).

Leave a Reply

Your email address will not be published.