Ethereum Lending Protocol XCarnival Hit With $3.8M Exploit, Recovers 50%

XCarnival, a platform based on the Ethereum blockchain that acts as a lending aggregator for NFTs (non-fungible tokens), has recovered 50% of the $3.8 million it lost in an exploit.

• A hacker exploited a smart contract flaw that allowed a pledged asset to also be used as collateral, in this case a Bored Ape Yacht Club NFT.
• The vulnerability was exploited in multiple transactions over a short period of time at 12:03 UTC on Sunday, with the hacker siphoning 3,087 ethers (ETH).
• "XCarnival was attacked on June 26, 2022 and suspended part of the protocol," the Singapore-based company wrote on Twitter.
• "Currently our smart contract has been suspended, all deposit and borrowing actions are temporarily not supported, please stay tuned, we will confirm the situation as soon as possible," it said.
• The XCarnival team offered the hacker a 1,500 ETH bounty, an offer that seemingly been accepted after a wallet tagged as "XCarnival Exploiter" sent 1,467 ETH to the affected wallet, according to Etherscan.
• According to the protocol's website, total value locked stands at 2992.05 ETH for borrows and 3014.69 ETH for supply.