NFT liquidity solver XCarnival was exploited with a total loss of 3087 ETH

According to Go+ Security researcher Ben, NFT lending platform XCarnival was exploited 13hrs ago. At least 3000 $ETH(~$3.8M) was stolen.

The origianl Tweet from XCarnival

Here’s a brief analysis of this incident:

7. Then Slave 5338 withdrew the NFT and sent it back to Master, who then repeated this process with other Slaves. In this way they created many orderIDs, which can later be used as lending credentials. But bugged xNFT contract didn’t revoke the credential after withdrawing.

8. So next step the Master called all Slaves, in turn, to borrow $ETH from xETH contract. Attack completed. The hacker borrowed money from void(collateral NFT had already been withdrawn). One of the tx:https://etherscan.io/tx/0xabfcfaf3620bbb2d41a3ffea6e31e93b9b5f61c061b9cfc5a53c74ebe890294d

9. The above is the big picture. Let’s dive deep into some details. In xNFT contract, withdrawNFT() won’t nullify the orderId after withdraw. So by the time the P2controller calls getOrderDetail(), the order is still valid.

10. In xETH, borrow() will call borrowInternal() then controller.borrowAllowed() to verify if an orderId is valid.

11. Here is the borrowAllowed() in P2controller. It will first ask xNFT.getOrderDetail(). There are many other restrictions, but none of them can stop the hacker. Note: the reason the hacker needed multiple slaves is there is an amount checker for a single order at the bottom.

Summary: Collateral is still valid after withdrawing. This is a very simple & naive bug in contract implementation. The following pic is the clear call stack in those intertwined internal transactions. It could help if you want to analyze without tools.

--

--

Go+ Security, Everyone’s Security Tool! Go+ is an open, permissionless, user-driven security service platform for all types of blockchain users.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Go+ Security

Go+ Security, Everyone’s Security Tool! Go+ is an open, permissionless, user-driven security service platform for all types of blockchain users.