What Can We Learn From X-CARNIVAL Hack Attack
XCarnival is a lending aggregator for Metaverse assets which offers innovative liquidation solutions for varieties of NFT assets and long- tail crypto assets.
On June 24, 2022, the NFT lending agreement XCarnival was attacked, and hackers made 3,087 ETH(about $3.8 million). XCarnival officially tweeted that the current smart contract has been suspended, temporarily do not support deposit and loan operations, the team will confirm the specific situation as soon as possible.
“The hack is made possible by allowing a withdrawn pledged [non-fungible token] NFT to be still used as the collateral, which is then exploited by the hacker to drain assets from the pool,” PeckShield said.
In an attempt to recover the stolen funds, the XCarnival team reached out to the hacker with a bounty offer of USD 300,000 and pledged not to pursue law enforcement action if they return the remaining sums.
Meanwhile, the native token of the project, XCV, has been severely affected by this recent breach. The token has decreased by 10% over the past 24 hours, but it has increased by 1% over the past week.
Vulnerability analysis
This attack mainly exploits the vulnerability in the contract during the NFT mortgage that does not check whether the xToken address passed in by the attacker is the address in the project party’s whitelist, and does not detect the status of the mortgage record when borrowing, causing the attacker to repeatedly use the invalid mortgage record for lending.
Conclusion
The address of the Xtoken should be set to a whitelist for restriction and verification. In the business of mortgage lending, the project should conduct multiple verifications on the status of the collateral to prevent the theft of funds due to the undetermined status verification, and the NFT lending platform needs to pay attention to security. In addition, it is recommended to choose a professional security audit company to conduct a comprehensive security audit before the project being deployed on chain to avoid security risks.
About DeHacker
DeHacker is a team of auditors and white hat hackers who perform security audits and assessments. With decades of experience in security and distributed systems, our experts focus on the ins and outs of system security. Our services follow clear and prudent industry standards. Whether it’s reviewing the smallest modifications or a new platform, we’ll provide an in-depth security survey at every stage of your company’s project. We provide comprehensive vulnerability reports and identify structural inefficiencies in smart contract code, combining high-end security research with a real-world attacker mindset to reduce risk and harden code.
