XCarnival, a liquidity provider for the Ethereum ecosystem, recovered 1,467 Ether (ETH) just a day after suffering an exploit that drained 3,087 ETH, worth roughly $3.8 million, from the protocol.
Blockchain investigator Peckshield noticed the XCarnival hack as it came across a stream of transactions that eventually bled 3,087 ETH from the protocol. Explaining the nature of the exploit, Peckshield stated:
“The hack is made possible by allowing a withdrawn pledged NFT to be still used as the collateral, which is then exploited by the hacker to drain assets from the pool.”
Soon after the revelation, XCarnival proactively informed the users about the hack while temporarily suspending a part of its services to counter the annoying attack. The protocol also offered the hacker 1,500 ETH as a bounty in addition to offering exemption from legal proceedings.
XCarnival was attacked on June 26, 2022 and suspended part of the protocol. XCarnival officials will give 0xb7CBB4d43F1e08327A90B32A8417688C9D0B800a owner 1500 ETH bounty.
At the same time, XCarnival officals explicitly exempt the person from legal action.
By XCarnival team
— XCarnival (@XCarnival_Lab) June 27, 2022
Eventually, XCarnival suspended the smart contracts and deposit and borrowing features until it could identify and rectify the internal bug that made the hack possible. According to Packshield, the hacker used a previously withdrawn pledged nonfungible token (NFT) from the Bored Ape Yacht Club (BAYC) collection as collateral to drain the assets.