NFT Lending Pool XCarnival Loses Nearly $4M in Exploit; Hacker Accepts 1,500 ETH Bounty

Share Article
In Brief
  • A hacker exploited the smart contract, stealing nearly $4 million worth of ETH.

  • He agreed to return the stolen funds in exchange for a 1,500 ETH bounty.

  • The NFT market has become a prime target for attackers, given the surge in popularity.

  • promo

    Top Crypto Exchanges Without KYC Read Now

The Trust Project is an international consortium of news organizations building standards of transparency.

A hacker exploited a smart contract in non-fungible token (NFT) lending pool XCarnival, stealing nearly $4 million from the platform. The hacker has since accepted a 1,500 ETH bug bounty from the team.

NFT lending pool XCarnival nearly lost about $4 million after a hacker exploited a flaw in the smart contract. The hacker gained 3,087 ETH from the exploit on June 26, but the complied with a bug bounty compromise. Blockchain security and data analytics company PeckShield said that the hack was made possible “by allowing a withdrawn pledged NFT to be still used as the collateral, which is then exploited by the hacker to drain assets from the pool.”

XCarnival said that they had suspended the smart contract and would offer the hacker a bounty of 1,500 ETH for returning the funds. They will not pursue legal action against the hacker.

In what is usually a rare occurrence of compliance, the hacker accepted the bounty and said that the funds will be returned, asking for an official statement signed by the XCarnival CEO. He also asked to explicitly veto lawsuits.

XCarnival will be pleased with the turn of events, which could have gone much worse. The hacker too has made away with quite a sum and will not have to worry about legal action.

XCarnival is an NFT lending pool that lets users borrow tokens quickly without selling their NFTs. It essentially offers yields on NFT assets. The team has not relaunched the smart contracts, as it is working on plugging the exploit.

NFT market will have to watch out

This incident is just one of many that has occurred in the NFT market in recent months. As the sector has become more popular, more bad actors have been turning their attention to it. It is much like decentralized finance (DeFi) in its early blooming days, which continues to suffer from attacks, though projects have grown more wary.

The Bored Ape Yacht Club has been among the most high-profile cases, with hackers having stolen four apes valued at over $1 million. NFT marketplaces like Nifty Gateway have also been hacked.

Now with all eyes on NFTs, and more of the wider public taking to the special assets, projects in the space will have to be extra cautious. This sector is particularly vulnerable because of how many new market entrants there are and the ease with which scams can be executed.


All the information contained on our website is published in good faith and for general information purposes only. Any action the reader takes upon the information found on our website is strictly at their own risk.
Share Article

Rahul's cryptocurrency journey first began in 2014. With a postgraduate degree in finance, he was among the few that first recognized the sheer untapped potential of decentralized technologies. Since then, he has guided a number of startups to navigate the complex digital marketing and media outreach landscapes. His work has even influenced distinguished cryptocurrency exchanges and DeFi platforms worth millions of dollars.

Follow Author