Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

XCarnival is an NFT lending platform in which a user can deposit an NFT as collateral against loans. By depositing NFTs are collateral, tokens and other assets can be purchased.

When a user deposits an NFT into the platform, they are assigned an orderID. This should have been valid as long as the collateral (NFT) was still in the system.

However, there was a mistake in this logic. The orderID was still valid, even if the collateral had been taken out of the contract. This allows for the using of the receipt to take out loans, while the contract not longer possessed the collateral necessary to force the payback of the loan.

To launch the attack, they created several contracts and put NFT as collateral. The reason they used multiple contracts was that there was a limit on the size of loans that could be taken out. As a result, they did this attack multiple times to steal 3.8 million ETH.

Apparently, they had passed an audit from Certik. Interesting how this either got missed by the audit or the functionality was changed after. From my perspective, this feels like something I would check quickly. Overall, good bug!