Ekta Mourya

FXStreet Follow Following

Ethereum-based protocol XCarnival was the target of a hack where 3,087 Ether was drained out of the liquidity provider. The lending aggregator suffered an exploit where bad actors pulled $3.8 million out of XCarnival.

Ethereum ecosystem’s liquidity provider XCarnival was the target of an exploit, with an amount of Ethereum worth $3.8 million being drained out of the protocol. Peckshield, a blockchain investigator firm, noticed the hack as it came across a stream of transactions that eventually drained 3,087 ETH out of the protocol.

XCarnival allows users to borrow tokens, without selling their NFTs. Users can deposit their cryptocurrencies on the Ethereum-based protocol and earn rewards without selling their digital art or collectibles.

The Ethereum liquidity provider was attacked on June 26 and part of the protocol was suspended. The officials promised the attacker 0xb7CBB4d43F1e08327A90B32A8417688C9D0B800a a 1500 Ether bounty for returning part of the funds.

The protocol exempted the attacker from legal action, and negotiated a deal. The platform had a bug, and after withdrawal of the collateralized NFT the orderID was still available for loan request. The hacker funded his account from Tornado, a platform that improves transaction privacy by breaking the on-chain link between source and destination addresses.

The attacker then bought Bored Ape Yacht Club #5110 from OpenSea, the peer-to-peer NFT marketplace. The attacker borrowed funds several times and drained out the protocol, with the use of a single NFT, but the bugged xNFT contract didn’t revoke the credential after withdrawing.



Bug in the contract of XCarnival

@BenWAGMI, the co-founder of Goplus Security, told his followers that on XCarnival, collateral was still valid after withdrawing it and this naive bug was caught by a bad actor.

12) Summary: Collateral is still valid after withdrawing. This is a very simple & naive bug in contract implementation.

The following pic is the clear call stack in those intertwined internal transactions. It could help if you want to analyse without tools. pic.twitter.com/vo2uQ07u2v

The XCarnival team confirmed that the 1,467 ETH was returned by the hacker, after accepting the bounty offer. Officials engaged in multiple rounds of negotiations with the attackers, to redeem the assets. The police and several involved agencies carried out in-depth cooperation to initially determine the location of the attacker’s geographical location.

It seems the remaining 1467 ETH are just returned. @XCarnival_Lab https://t.co/k44zakkAvB https://t.co/h5OKcVM9PN pic.twitter.com/rnUiZyATNJ

This is not the first instance in which funds were returned partially. Hackers in DeFi exploits are known to release funds in exchange for a bounty, treating the attack as a “service” and escaping legal action.

Harmony Protocol, an open blockchain, was recently attacked for $100 million in altcoins. In a new update, security firms have confirmed that attackers have started laundering funds. $36 million out of 100 was sent to Tornado cash, a mixing service.

1/ The Harmony team has identified a theft occurring this morning on the Horizon bridge amounting to approx. $100MM. We have begun working with national authorities and forensic specialists to identify the culprit and retrieve the stolen funds.

Attackers have sent the funds to the mixer in three separate transactions. A total of 30,000 Ether from the June 23 hack was sent to Tornado cash. The destination of the funds is currently unknown as the mixing service helped conceal the origin of the assets by pooling a significant amount of coins in a single pool and “mixing.”

Tornado cash has emerged as a common point in several DeFi exploits, where attackers bring their funds to mix and conceal origins, therefore successfully laundering money from stolen crypto.

FXStreet analysts evaluated the Ethereum price chart, predicting a rally in the altcoin. Akash Girimath, a leading crypto analyst at FXStreet, believes Ethereum price is grappling with a significant resistance barrier at $1,224.

Ethereum price could move swiftly beyond the confluence and start a rally to the $1,730 hurdle, which would represent a 35% breakout.



Ethereum Perpetual Futures chart

FXStreet analysts have predicted where Ethereum price is headed in the currently price rally. For more information, watch this video:



