XCarnival has got 1,467 ETH back, the security agencies have tentatively determined the hacker’s geographic location

2 min readJun 27, 2022

XCarnival has got 1,467 ETH back, the security agencies have tentatively determined the hacker’s geographic location

According to Peck Shield’s public analysis, on June 26th, XCarnival was hacked by a hacker who exploited the contract vulnerability to lend ETH by creating multiple pledge orders to pledge BAYC many times. In the spirit of responsibility for users’ assets, XCarnival shut down the contract and the deposit and borrowing functions immediately, analyzing the attacker’s ETH address at the same time.

Officials in multiple rounds of negotiations with attackers over redemption of assets. At 13:45(UTC+8) June 27, the attacker returned 1,467 ETH upfront. So far, several security agencies and the police have carried out in-depth cooperation to initially determine the location of the attacker’s geographical location.

In this incident,XCarnival’s pledged NFT and other on-chain assets were not affected, and its product development and market operations continue to advance normally at present. XCarnival will continue to invite more security auditors and the white hat community to review all of its contract code. As we all know,all of XCarnival’s contracts have been audited by Certik previously.

The following is a summary of the attacked incident(Partially sourced from Peck Shield public information)

XCarnival was exploited in a flurry of txs (one hack tx: https://etherscan.io/tx/0x51cbfd46f21afb44da4fa971f220bd28a14530e1d5da5009cfbdfee012e57e35),

leading to the gain of 3,087 ETH (~$3.8M) for the hacker

The hacker is made possible by allowing a withdrawn pledged NFT to be still used as the collateral, which is then exploited by the hacker to drain assets from the pool.

The initial fund (120 ETH) to launch the hack was withdrawn from TornadoCash. Currently 3,087 ETHs of the illicit gains still stay in the hacker’s account https://etherscan.io/address/0xb7cbb4d43f1e08327a90b32a8417688c9d0b800a

The overall logic is that the hacker first generates multiple contract addresses, then goes to call the XNFT contract, pledges the NFT, then generates an orderld, then withdraws the NFT, multiple times this operation, then calls the XToken contract’s borrow() through the previous contract address as well as the orderld In the call to borrow(), there is no judgment that the NFT has been withdrawn, so the hacker borrowed and then did not pay it back, then keeps repeating this operation.