$3 800 000 USD

JUNE 2022




"A more convenient lending protocol for everyone."


"XCarnival is here to create a metaverse financial infrastructure. They will focus on providing liquidity options for all your metaverse assets. Furthermore, they hope to create an industry ecosystem for NFT and Metaverse. In order to do so, they are offering mortgage and loan services for NFT assets. These financial services are available in their P2P and Pool2C models. In addition, they also provide appraisal, leasing and sales solutions for your metaverse long-tail assets. Their featured products are XBroker and XPawn."


"XBroker is a smart contract on an EVM-based public chain. It is an NFT pledge and lending platform. It offers liquidity to the NFT market. In XBroker, users take parts in three different roles: mortgagor, lender and liquidator. It works in a very straightforward way. First, the mortgagor must submit an NFT to pledge and borrow money. Then the lender will earn interest by lending USDxc. Liquidator will then bid at the auction to collect NFTs."


"XCarnival is a lending aggregator for Metaverse assets, which offers innovative liquidation solutions for varieties of NFTs and long- tail crypto assets. As a pioneer of NFT lending provider, XCarnival has won the Championships of BSC Hackathon for Southeast Asia. It‘s also one of the first projects educating users to adopt the NFT-lending modes with mining rewards. XCarnival is a multi-chain protocol and will deploy on Ethereum, Polygon and Solana."


"On June 26, 2022 XCarnival lost $3.8M after an attacker exploited a logic error in the collateral handling mechanism."


"The hack is made possible by allowing a withdrawn pledged NFT to be still used as the collateral, which is then exploited by the hacker to drain assets from the pool."


"The initial fund (120 ETH) to launch the hack is withdrawn from @TornadoCash. Currently 3,087 ETHs of the illicit gains still stay in the hacker’s account"


"Negotiations to partially return stolen funds are ongoing."


"The hacker pledged one NFT, Bored Ape #5110, as security for a loan. The Bored Ape used as collateral should typically be locked up until the debt is paid up.


But the hacker was able to retrieve the Bored Ape without paying back the loan and then used it to get a new loan by exploiting a vulnerability. This action was repeated many times, emptying 3,087 ETH from the protocol."


"The overall logic is that the hacker first generates multiple contract addresses, then goes to call the XNFT contract, pledges the NFT, then generates an orderld, then withdraws the NFT, multiple times this operation, then calls the XToken contract’s borrow() through the previous contract address as well as the orderld In the call to borrow(), there is no judgment that the NFT has been withdrawn, so the hacker borrowed and then did not pay it back, then keeps repeating this operation."


"XCarnival then communicated with the hacker on-chain and asked for the funds to be returned.


The platform first offered a $300,000 award as restitution for the stolen funds. The hacker later accepted XCarnival’s updated offer of giving them half of the ETH.


The initial funding for the hack, around 120 ETH, was taken out via Tornado Cash. Security organizations and the police have since then worked closely to find the hacker’s geographical location.


However, XCarnival did agree not to take legal action against the hacker in exchange for returning half of the stolen money."


"XCarnival was attacked on June 26, 2022 and suspended part of the protocol. XCarnival officials will give 0xb7CBB4d43F1e08327A90B32A8417688C9D0B800a owner 1500 ETH bounty. At the same time, XCarnival officals explicitly exempt the person from legal action."

XCarnival created a lending protocol which allowed participants to use their NFTs as collateral for loans. Unfortunately, the protocol wasn't entirely bullet-proof and was exploited by an attacker, who found a way to take out a loan and still retrieve the NFT they had put up as collateral. The attacker funded their account through TornadoCash and took the proceeds back through TornadoCash. They gave up half of their loot in exchange for a promise by the protocol against legal retribution.

Sources And Further Reading

 For questions or enquiries, email info@quadrigainitiative.com.

Get Social

  • email
  • reddit
  • telegram
  • Twitter

© 2021 Quadriga Initiative. Your use of this site/service accepts the Terms of Use and Privacy Policy. This site is not associated with Ernst & Young, Miller Thompson, or the Official Committee of Affected Users. Hosted in Canada by HosterBox.