XCarnival Hacker Accepts ETH 1,500 Bounty and Returns Remaining ETH 1,467
The hacker of XCarnival, a lending aggregator for metaverse assets, has accepted a bounty of ETH 1,500 (USD 1.85m) in exchange for the return of the remaining ETH 1,467 (USD 1.8m) and the team not pursuing legal actions.
Etherscan transactions show that the hacker has already sent ETH 1,467 to the address shared by the XCarnival team.
On Sunday, a hacker was able to exploit a flaw in the smart contract code, blockchain security company PeckShield reported, stating at the time that ETH 3,087 was stolen.
"The hack is made possible by allowing a withdrawn pledged [non-fungible token] NFT to be still used as the collateral, which is then exploited by the hacker to drain assets from the pool," PeckShield said.
In an attempt to recover the stolen funds, the XCarnival team reached out to the hacker with a bounty offer of USD 300,000 and pledged not to pursue law enforcement action if they return the remaining sums.
"1500eth - everyone's happy? 300eth too low," the hacker said in an on-chain message. "1500 ETH is acceptable," the XCarnival team replied, asking the hacker to send the remaining funds.
Per a tweet shared on Sunday, the XCarnival smart contract has been suspended, while "all deposit and borrowing actions are temporarily not supported."
XCarnival, which describes itself as the "top player of metaverse asset bank," allows users to earn high Annual Percentage Yield (APY) rates by lending their NFTs and other supported crypto assets.
Meanwhile, the project's native token XCV has been hit hard by this recent hack. The token is down by 10% over the past 24 hours, while it's up 1% in a week.
- ONE Keeps Trending Lower while Harmony Offers Hacker USD 1M in Bounty for Return of Funds
- ONE Drops as Harmony's Bridge Hacked for Almost USD 100M
- Axie Infinity's Ronin Bridge to Re-Open After Hack, Locked Funds to Be Returned
- Osmosis DEX Hacked for USD 5M, Team Denies Liquidity Pools Being 'Completely Drained'
- The Blame Game Begins as Bored Apes Co-Founder Criticized for Blaming Discord Following Another NFT Exploit
- Hacker Used ‘Social Media Data Leak’ to Steal USD 660K in Crypto from 90 Victims - Police