Hacker returns half of the $3.8 million they stole from NFT lender XCarnival

Quick Take

  • XCarnival, an NFT lending pool, lost 3,087 ETH to an exploit on Sunday.
  • The hacker responsible has returned half of the funds, while the protocol has promised not to pursue law enforcement action.

The hacker who exploited NFT lending pool XCarnival for 3,087 ETH ($3.8 million) has returned half of the loot, according to on-chain security researcher and ZenGo co-founder Tal Be’ery.

As an NFT lending pool, XCarnival enables users to borrow funds using their collectibles as collateral for loans. XCarnival suffered a security incident on Sunday that saw the exploiter able to drain $3.8 million in ETH from the platform.

“The core issue was a vulnerability that allowed the attacker to borrow multiple times against the same NFT collateral,” Be’ery told The Block.

The hacker deposited one NFT, Bored Ape #5110, as collateral to borrow funds. Normally, the Bored Ape used as collateral should be locked up by the protocol until repayment of the loan occurs. The hacker was, however, able to withdraw the Bored Ape collateral without repaying the loan and using it to take another loan. This action was repeated several times, draining 3,087 ETH from the protocol.

XCarnival contacted the hacker after the incident via on-chain messages calling for a return of the funds. The NFT lending pool initially offered a $300,000 bounty in exchange for the stolen funds. XCarnival then increased its offer to half of the stolen amount, which the hacker obliged.

The hacker’s wallet still has 1,500 ETH ($1.8 million) as of the time of publishing. The remaining 120 ETH, which was withdrawn from Tornado Cash to carry out the exploit, has been returned.

The NFT lender also promised not to pursue any law enforcement action against the hacker if they returned half of the stolen funds.

It is becoming a popular occurrence for projects to offer bug bounties to hackers responsible for stealing from them. For example, this happened to the exploiter who stole 20 million Optimism tokens from Wintermute earlier in June and subsequently returned 17 million of those coins, with the two sides calling it even.

Harmony also recently offered a $1 million bounty for the return of the $100 million that was stolen from its Horizon bridge protocol on June 23. Harmony’s offer also includes a promise not to advocate for criminal charges against the hackers.


© 2024 The Block. All Rights Reserved. This article is provided for informational purposes only. It is not offered or intended to be used as legal, tax, investment, financial, or other advice.

About Author

Osato is a news reporter at The Block as part of the crypto ecosystems team that focuses on DAO governance, staking, blockchain layers, and DeFi. He was previously a news reporter at Cointelegraph. Based in Lagos, Nigeria, he enjoys crosswords, poker, and attempting to beat his Scrabble high score. Follow him on Twitter at @OsatoNomayo.