Ethereum Lending Protocol XCarnival Hit With $3.8M Exploit, Recovers 50%
The DeFi protocol persuaded a hacker to return $1.9 million.
Updated May 11, 2023 at 5:40 p.m. UTC
XCarnival, a platform based on the Ethereum blockchain that acts as a lending aggregator for NFTs (non-fungible tokens), has recovered 50% of the $3.8 million it lost in an exploit.
- A hacker exploited a smart contract flaw that allowed a pledged asset to also be used as collateral, in this case a Bored Ape Yacht Club NFT.
- The vulnerability was exploited in multiple transactions over a short period of time at 12:03 UTC on Sunday, with the hacker siphoning 3,087 ethers (ETH).
- "XCarnival was attacked on June 26, 2022 and suspended part of the protocol," the Singapore-based company wrote on Twitter.
- "Currently our smart contract has been suspended, all deposit and borrowing actions are temporarily not supported, please stay tuned, we will confirm the situation as soon as possible," it said.
- According to the protocol's website, total value locked stands at 2992.05 ETH for borrows and 3014.69 ETH for supply.