
XCarnival, an Ethereum-based protocol that acts as a lending aggregator for NFTs, has recovered 50% of the $3.8 million lost in an exploit.
-
A hacker exploited a smart-contract flaw that allowed a pledged asset to also be used as collateral, in this case a Bored Ape Yacht Club non-fungible token (NFT).
-
The vulnerability was exploited in multiple transactions over a short period of time at 12:03 UTC on June 26, with the hacker siphoning out 3,087 ether (ETH).
-
“XCarnival was attacked on June 26, 2022 and suspended part of the protocol,” the Singapore-based company wrote on Twitter.
-
“Currently our smart contract has been suspended, all deposit and borrowing actions are temporarily not supported, please stay tuned, we will confirm the situation as soon as possible,” it said.
-
The XCarnival team offered the hacker a 1,500 ETH bounty, an offer has seemingly been accepted after a wallet tagged as “XCarnival Exploiter” sent 1,467 ETH to the affected wallet, according to Etherscan.
-
According to the protocol’s website, total value locked (TVL) stands at 2992.05 ETH for borrows and 3014.69 ETH for supply.
Read more about
DeFiHackExploitsNFTs

0.21%

0.85%

0.23%

0.51%

0.10%
View All Prices
Sign up for Market Wrap, our daily newsletter explaining what happened today in crypto markets – and why.