How hackers stole 3,000 ETH, NFT lending platform - XCarnival attack analysis incident | Tokenview

Introduction to XCarnival

XCarnival is an NFT lending platform, which is enabled by DeFi platforms that allow NFT owners to pledge their NFT artwork or collectibles in exchange for cryptocurrency or fiat currency.

How does NFT lending work? Platforms that support NFT loans allow holders to borrow funds and set terms without an intermediary. Borrowers can expect to take out loans worth about 50 per cent of the NFT's value, with interest rates ranging from 20 per cent to 80 per cent, depending on how popular the NFT is. The allure of DeFi protocols is that they are simple, transparent and efficient compared to traditional lenders. The asset that the NFT uses as collateral is sent to a secure smart contract, which acts as an unbiased, automated third-party program to complete the entire lending and lending process.

Lenders assess the fair value of the collateral, often by looking at the asset's past performance, sales history, or floor price similar to an NFT. Once the two parties agree on terms, the NFT is transferred from the borrower's wallet to an escrow account, with the smart contract facilitating the borrowing and lending.

XCarnival was hacked and 3,000 ETH stolen

On June 26, NFT lending protocol XCarnival was attacked, and hackers made a profit of 3,000 Ethereum (about $3.8 million), while the protocol loss may be higher.

Xcarnival Platform Asset address:

'XNFTProxy': https://eth.tokenview.io/en/address/0xb14b3b9682990ccc16f52eb04146c3ceab01169a

'XETHProxy': https://eth.tokenview.io/en/address/0xb38707e31c813f832ef71c70731ed80b45b85b2d

Hacker address:
https://eth.tokenview.io/en/address/0xb7cbb4d43f1e08327a90b32a8417688c9d0b800a
https://eth.tokenview.io/en/address/0xca67615bb9a9cc093e13dee3de1ca55b55ab3586

The XCarnival Hack Incident

Tokenview guides you through the entire attack process on XCarnival:

1 Attacker
https://eth.tokenview.io/en/address/0xb7cbb4d43f1e08327a90b32a8417688c9d0b800a withdrew 120 ETH from Tornado.Cash in preparation for the attack.

2 NFT BAYC #5110 was subsequently purchased on Opensea via the Opensea seaport Protocol for 91.65 ETH.

3 Create multiple attack contracts to implement the attack process by transferring BAYC NFTS. Taking contract address 0xf7 as an example, the first attack used contract 0xf7 to collateralize NFTS several times, making a total profit of 1980ETH.

0xf70F691D30ce23786cfb3a1522CFD76D159AcA8d

0xbcf759e6889af3af5cdb02ddc5557aa525e7ed8b

0x3edf976df38f7d6273884b4066e3689ef547d816

0x7b5a2f7cd1cc4eef1a75d473e1210509c55265d8

0x234e4b5fec50646d1d4868331f29368fa9286238

4 The attack took advantage of a contract bug in the NFT lending platform, in which unsecured NFTS were still used as collateral. That is, after the collateral NFT is taken out, its orderID can still be used and loans can be applied for. According to Tokenview, the attackers made at least 3,000 ETH (about $3.8 million).

5 The attacker eventually sold NFT BAYC5110 on Opensea for 85ETH, eventually retrieving 81.56ETH.

XCarnival official response

At 22:07 on June 26, the XCarnival team tweeted that it had suspended smart contracts as well as deposit and loan functions.

At 22:37:19, XCarnival started a conversation with the hackers. The conversation read: 'Hello, we are aware of our contract loophole and we are contacting you to recover the loss. I'd really appreciate it if you'd like to talk to me. We can communicate or trade through contact@xcarnival.fi.'

It wasn't until 1 a.m. on June 27 that XCarnival attackers began moving assets. At 01:12:29, the attackers sent 2,967 pieces of ETH (about $3.6 million) to the new 0xca address, according to Tokenview chain data. And send 120 ETH to Tornado.cash in batches from 01:17:02 to 01:22:22.

, according to data Tokenview chain after a series of dialogue and consultation, XCarnival said (on the premise of the attacker returned to steal money) will give the attacker (0xb7cbb4d43f1e08327a90b32a8417688c9d0b800a) 1500 ETH bounty, And expressly exempt such person from legal proceedings.

The attacker wrote: 'Glad to hear that - the funds will be refunded - please make an official statement - signed by the CEO of xCarnival - giving the oxb7(attacker's address) owner a bounty of 1500ETH and a clear rejection of the lawsuit.' The XCarnival team then tweeted this.

In 13:45:58, provided by an attacker to XCarnival wallet address (0 xc087629431256745e6e3d87b3ec14e8b42d47e48) returned 1467 pieces of the ETH. The specific transaction path is: from 0xca address to 0xb7 address, and finally to XCarnival address 0xc08.

After XCarnival attacker returned 1467 ETH, who want to apply for address 0 xfc5724c285213269cc53d6156e8d2fddbbcad626 as a mediator, to initiate dialogue. 'Sir, I appreciate your action but I would like to apply as a mediator to keep the transaction safe and efficient.' The attackers have not yet responded.

Tokenview will continue to monitor the XCarnival attacker chain dynamics, bringing the most comprehensive data analysis!