On Sunday, a hacker was able to exploit a weakness in the smart contract code, according to blockchain security startup PeckShield, and 3,087 ETH were taken.
The XCarnival smart contract has been suspended, and “all deposit and borrowing actions are temporarily not supported,” according to a tweet sent on Sunday.
XCarnival, which describes itself as the “leading metaverse asset bank,” enables users to earn high Annual Percentage Yield (APY) rates by lending NFTs and other compatible cryptocurrencies.
Meanwhile, the native token of the project, XCV, has been severely affected by this recent breach. The token has decreased by 10% over the past 24 hours, but it has increased by 1% over the past week.
The hacker of XCarnival, a metaverse asset loan aggregator, has accepted a bounty of ETH 1,500 (USD 1.85m) in exchange for the return of the remaining ETH 1,467 (USD 1.8m) and the team not pursuing legal action.
Etherscan transactions reveal that the hacker has already sent 1,467 ETH to the team’s common address.
“The breach is made possible by allowing withdrawn promised NFTs to be used as collateral, which is subsequently exploited by the hacker,” PeckShield explained.
In an effort to retrieve the stolen funds, the XCarnival team reached out to the hacker with a $300,000 bounty offer and a promise not to take legal action if the remaining monies were returned.
“1500th – is everyone content? 300th below par, “The hacker said in a statement on the blockchain. The XCarnival team responded, “1500 ETH is acceptable,” and asked the hacker to deliver the remaining funds.
