The “Metaverse Asset Bank,” Carnival, which experienced a smart contract exploit in a flurry of transactions and led to the gain of around 3,000 ETH by a hacker found a resolution that decreased the damage to the platform and made the hacker look better, per PeckShield Inc.
How did the hack happen?
The flaw in the platform’s code allowed hackers to withdraw pledged NFTs and use them as collateral. The mechanism was later used to drain assets from the pool. The main issue was the lack of judgment in the contract that has not checked if the pledged NFT has been withdrawn by the borrower.
As always, the hacker received his funds from Tornado Cash coin mixing solution, which allowed him to remain completely anonymous. Potentially, the exploiter could have easily washed stolen funds and remained under the radar, and then later moved them into fiat somehow.
The good end
Luckily for platform users and the management team, the hacker agreed to return half of the stolen funds on one condition only: if the whole exploit story would be considered a “bug bounty,” he would avoid all future lawsuits.
It seems the remaining 1467 ETH are just returned. @XCarnival_Lab https://t.co/k44zakkAvB https://t.co/h5OKcVM9PN pic.twitter.com/rnUiZyATNJ
— PeckShield Inc. (@peckshield) June 27, 2022
He asked the Carnival CEO to grant the owner of the address ending with “B800a” a 1,500 ETH bounty in exchange for the stolen funds. Essentially, the platform paid the hacker a $1.8 million bug bounty, which is considered more than generous.
Since the beginning of the year, the number of exploits and hacks of various DeFi platforms and NFT collections decreased significantly, most likely because of the dropping popularity of both industries and a crash of the cryptocurrency market in May and June.