Hacker returns half of the $3.8 million they stole from NFT lender XCarnival

Quick Take

  • XCarnival, an NFT lending pool, lost 3,087 ETH to an exploit on Sunday.
  • The hacker responsible has returned half of the funds, while the protocol has promised not to pursue law enforcement action.

The hacker who exploited NFT lending pool XCarnival for 3,087 ETH ($3.8 million) has returned half of the loot, according to on-chain security researcher and ZenGo co-founder Tal Be’ery.

As an NFT lending pool, XCarnival enables users to borrow funds using their collectibles as collateral for loans. XCarnival suffered a security incident on Sunday that saw the exploiter able to drain $3.8 million in ETH from the platform.

“The core issue was a vulnerability that allowed the attacker to borrow multiple times against the same NFT collateral,” Be’ery told The Block.

The hacker deposited one NFT, Bored Ape #5110, as collateral to borrow funds. Normally, the Bored Ape used as collateral should be locked up by the protocol until repayment of the loan occurs. The hacker was, however, able to withdraw the Bored Ape collateral without repaying the loan and using it to take another loan. This action was repeated several times, draining 3,087 ETH from the protocol.

XCarnival contacted the hacker after the incident via on-chain messages calling for a return of the funds. The NFT lending pool initially offered a $300,000 bounty in exchange for the stolen funds. XCarnival then increased its offer to half of the stolen amount, which the hacker obliged.


Keep up with the latest news, trends, charts and views on crypto and DeFi with a new biweekly newsletter from The Block's Frank Chaparro

By signing-up you agree to our Terms of Service and