After a bug caused 3,087 ETH (about $3.8 million) to be lost, XCarnival, a liquidity provider for the Ethereum ecosystem, got back 1,467 ETH in less than 24 hours.
By stumbling across a series of transactions that drained 3,087 ETH from the protocol, Peckshield, a blockchain investigator, became aware of the XCarnival breach. Peckshield elaborated on the nature of the exploit, saying:
If a promised NFT that has been withdrawn can still be used as collateral, the hacker can leverage this vulnerability to steal funds from the pool.
As soon as XCarnival found out about the hack, it let its users know and temporarily shut down some of its services. In addition to immunity from prosecution, the protocol gave the hacker a prize of 1,500 ETH.
XCarnival eventually disabled the smart contracts and deposit/borrowing functionalities until the security flaw that allowed the hack to occur could be fixed. Packshield says that the hacker used a nonfungible token (NFT) from the Bored Ape Yacht Club (BAYC) collection that the holder had put up as collateral and then taken back.
After the attack, the XCarnival hacker’s wallet showed 3,087 ETH, but it now shows 0 ETH, which suggests that the remaining assets were successfully taken.
XCarnival has stated that they would be providing more information at a later date.
What should have been the biggest news story of the year ended up being a letdown as the white-hat hacker who attempted to retrieve the bitcoin from the locked phone found only 0.00300861 BTC.
After carefully microsoldering the phone, downloading the memory, and figuring out the Samsung’s swipe pattern, Lavar opened his Bitcoin wallet on MyCelium and found only 0.00300861 BTC, or about $63 at the time of writing.