A hacker took advantage of a smart contract in XCarnival’s non-fungible token (NFT) lending pool to steal almost $4 million. Since then, the hacker has taken the team’s offer of 1,500 ETH for finding the bug.
A hacker found a flaw in the smart contract of the NFT lending pool XCarnival and used it to try to steal about $4 million. The hacker made 3,087 ETH from the exploit on June 26, but he or she then agreed to a bug bounty deal.
The hack was made possible, according to Blockchain security and data analytics company PeckShield, “by allowing a withdrawn pledged NFT to still be used as the collateral, which the hacker then used to drain assets from the pool.”