要約

Exploiting a flaw in its smart contract, the attacker used a Bored Ape Yacht ClubNFT, which was already withdrawn after beingpledged, as collateral to borrow from theplatform. The same transaction was repeated several times until a watchdog alertedXCarnival, which promptly paused the operationscontracts,lending, and borrowing. Nearly 12 hours after the attack, XCarnival asked the hacker to return the stolenfunds, offered a 1,500 ETHbounty, and promised exemption from legalaction. As per blockchaindata, the exploiter accepted the offer after a bounty negotiation that began with 250 ETH and settled at 1,500 ETH. In a similar incident, Hollywood personality Seth Green’s Bored Ape8398, stolen in a phishing attack on May17, was negotiated for thereturn. Green reportedly paid 165 ETH for the NFT to its newowner, who had bought it for$200k in goodfaith, unaware that it was a stolen one. The NFT trade skyrocketed from under $200 million in 2020 to$40 billion in2021.Consequently, instances of such theft and plagiarism have also increased in thisspace. Early thismonth, the CEO of one of the largest NFT marketplaces – OpenSea – DerinFinzer, outlined the need for Trust and Safety investments in areas such as theft and scamprevention, among others.

本文翻訳

In a quick-paced development, XCarnival, describing itself as a Metaverse Asset Bank, lost over 3,087 ETH to a hacker and negotiated the return of half of the funds less than 24 hours after the incident. Exploiting a flaw in its smart contract, the attacker used a Bored Ape Yacht Club NFT, which was already withdrawn after being pledged, as collateral to borrow from the platform. The same transaction was repeated several times until a watchdog alerted XCarnival, which promptly paused the operations – smart contracts, lending, and borrowing. Alert from Watchdog The platform for which the loss can be much higher was alerted by blockchain security and data analytics company PeckShield. The initial amount used for the attack was 120 ETH that the hackers withdrew from Tornado Cash, PeckShield said. Subsequently, the watchdog provided more details in a series of tweets as to how the hack was pulled off. “The hack is made possible by allowing a withdrawn pledged NFT to be still used as the collateral, which is then exploited by the hacker to drain assets from the pool,” it said in one of its tweets. Nearly 12 hours after the attack, XCarnival asked the hacker to return the stolen funds, offered a 1,500 ETH bounty, and promised exemption from legal action. As per blockchain data, the exploiter accepted the offer after a bounty negotiation that began with 250 ETH and settled at 1,500 ETH. Theft and Scam Prevention In a similar incident, Hollywood personality Seth Green’s Bored Ape #8398, stolen in a phishing attack on May 17, was negotiated for the return. Green reportedly paid 165 ETH (approx. $300k) for the NFT to its new owner, who had bought it for $200k in good faith, unaware that it was a stolen one. Fred Simian, as Green had named the NFT character, was to be used as the main character in one of his upcoming shows – White Horse Tavern. The NFT trade skyrocketed from under $200 million in 2020 to $40 billion in 2021. Consequently, instances of such theft and plagiarism have also increased in this space. Early this month, the CEO of one of the largest NFT marketplaces – OpenSea – Derin Finzer, outlined the need for Trust and Safety investments in areas such as theft and scam prevention, among others.

引用リンク

出典：https://cryptopotato.com/hacked-lending-protocol-xcarnival-receives-1-9m-worth-of-stolen-eth-back/