Sometimes even hackers are on good side
“Metaverse Asset Bank”, Carnival, which experienced a smart contract exploit in a surge of transactions and led to a hacker gaining around 3,000 ETH found a resolution that reduced damage to the platform and made the pirate more beautiful, by PeckShield Inc.
How did the hack happen?
The flaw in the platform’s code allowed hackers to withdraw pledged NFTs and use them as collateral. The mechanism was later used to drain assets from the pool. The main issue was the lack of judgment in the contract that has not checked if the pledged NFT has been withdrawn by the borrower.
As always, the hacker received his funds from the Tornado Cash coin mixing solution, which allowed him to remain completely anonymous. Potentially, the exploiter could have easily washed away the stolen funds and stayed under the radar, then later transferred them to fiat somehow.
The good end
Luckily for platform users and the management team, the hacker agreed to return half of the stolen funds on one condition only: if the whole exploit story would be considered a “bug bounty,” he would avoid all future lawsuits.
He asked the CEO of Carnival to grant the owner of the address ending in “B800a” a bounty of 1,500 ETH in exchange for the stolen funds. Essentially, the platform paid the hacker a bug bounty of $1.8 million, which is considered more than generous.
Since the beginning of the year, the number of exploits and hacks of various DeFi platforms and NFT collections decreased significantly, most likely because of the dropping popularity of both industries and a crash of the cryptocurrency market in May and June.
