XCarnival is a liquidity provider for Ethereum. It recovered 1,467 Ether(ETH) within a day of being impacted by an exploit that took 3,087 ETH (worth approximately $3.8 million) from the protocol.
Peckshield, a blockchain investigator, noticed the XCarnival attack when it discovered a stream transaction that eventually bled 3,087 ETH out of the protocol. Peckshield explained the nature of the attack by saying:
The hacker uses a pledged NFT that has been withdrawn to continue to be used as collateral to drain assets from the pool.
Soon after the attack was discovered, XCarnival proactively notified users of the hack and temporarily suspended some services in order to stop the nuisance. In addition to offering a bounty, the protocol offered 1,500 ETH to the hacker and exempted him from any legal proceedings.
XCarnival was attacked June 26, 2022. The protocol was suspended. XCarnival officials will give 0xb7CBB4d43F1e08327A90B32A8417688C9D0B800a owner 1500 ETH bounty. XCarnival officials will also exempt the individual from any legal action. By XCarnival team
— XCarnival (@XCarnival_Lab) June 27, 2022
Eventually, XCarnival stopped smart contracts and other deposit and borrowing features until it was able to identify and fix the internal bug that allowed the hack. Packshield claims that the hacker used an NFT pledged by the Bored Ape Yacht Club collection (BAYC), as collateral, to drain the assets.
Flowchart showing how the stolen XCarnival money was transferred. Source: Peckshield
The wallet of the XCarnival hacker showed 3,087 ETH in it after the hack. However, the wallet shows 0 ETH as of this writing.
ETH wallet balance for the XCarnival hacker. Source: etherscan.io
XCarnival stated that it would reveal more details in the future.
Related: White-hat hacker tries to recover “millions” of Bitcoin lost, but finds only $105
After efforts by a white-hat hacker to retrieve a locked phone full Bitcoin (BTC), it was revealed that only 0.00300861 BTC had been recovered.
Cointelegraph reported that Joe Grand, a hardware hacker and computer engineer, traveled from Portland, Oregon to recover Bitcoin from a Samsung GalaxySIII phone belonging to Lavar, a local bus operator.
After a lot of hard work, including micro soldering, downloading memory, and finding the Samsung’s swipe pattern to access the Samsung’s wallet, Lavar opened his MyCelium Bitcoin account and found only 0.00300861 BTC. This was worth approximately $105 at the time and roughly $63 at publication.