According to security agency PeckShield, NFT lending protocol XCarnival was hacked on June 26, and the perpetrator made a profit of 3,087 Ethereum – about $3.8 million.
The hacker’s address is 0xb7CBB4d43F1e08327A90B32A8417688C9D0B800a. According to PeckShield, the attack may have been caused by released NFTs still being used as collateral. XCarnival tweeted on June 26 that it has temporarily suspended smart contracts and temporarily does not support deposits and borrowing operations.
On June 27, the attacker sent 2,967 ETH (about $3.6 million) to the new address of 0xCA, and sent another 120 ETH to Tornado cash. On the same day, XCarnival negotiated with XCarnival attackers on the chain.
At first, they wanted to use a bug bounty of $300,000 as a condition for the attacker to return the remaining stolen funds, but the hacker increased the condition to 1,500 ETH and asked the official to issue an official statement that the attacker will be given a bounty of 1,500 ETH and exempt from legal proceedings.
XCarnival complied with the attacker’s conditions and tweeted about it on June 27. After the attacker returned 1,467 ETHs, the remaining funds under the address were transferred to Tornado. The router at 20:18:12 showed 100 ETHs per transaction, a total of 1,500 ETHs, and the current balance of the address tends to 0.
According to Crunchbase data, in 2021, VC money invested in the field of encryption security exceeded $1 billion. This figure is less than $100 million in total venture capital in 2020. On April 8, 2022, blockchain security company CertiK announced the completion of its B3 round of financing worth $88 million, bucking the trend in the recent turbulent market environment, once again refreshing the blockchain security track with the largest single financing.
The success of Web3 depends on innovative models, especially to solve the new security challenges brought about by different application architectures. In Web3, the establishment of decentralized applications or dApps does not depend on the traditional application logic and data layers existing in Web 2.0. In the Web3 era, it is a model of blockchain, network nodes and smart contracts, to manage the logic and state of the decentralized internet.
This innovative model brings new security challenges to user and enterprise security:
- The decentralized technology architecture enables the private key of enterprises or users to directly interact with the infrastructure;
- Contract and code security;
- Lack of centralization unified management of security by technical mechanisms;
- The lack of KYC and corporate entities makes the law traceable.
From the perspective of future trends, Web3 security innovation is carried out in a transparent and open source environment, and creative solutions will be produced in such scenarios. Web3 will also likely give birth to a new legal order.