Finance
Share this article

Ethereum Lending Protocol XCarnival Hit With $3.8M Exploit, Recovers 50%

The DeFi protocol persuaded a hacker to return $1.9 million.

By Oliver Knight
Updated May 11, 2023, 5:40 p.m. Published Jun 27, 2022, 10:31 a.m.
Some $3.8 million was siphoned from NFT lending platform XCarnival (Kevin Ku/Unsplash)
Some $3.8 million was siphoned from NFT lending platform XCarnival (Kevin Ku/Unsplash)

XCarnival, a platform based on the Ethereum blockchain that acts as a lending aggregator for NFTs (non-fungible tokens), has recovered 50% of the $3.8 million it lost in an exploit.

  • A hacker exploited a smart contract flaw that allowed a pledged asset to also be used as collateral, in this case a Bored Ape Yacht Club NFT.
  • The vulnerability was exploited in multiple transactions over a short period of time at 12:03 UTC on Sunday, with the hacker siphoning 3,087 ethers (ETH).
  • "XCarnival was attacked on June 26, 2022 and suspended part of the protocol," the Singapore-based company wrote on Twitter.
  • "Currently our smart contract has been suspended, all deposit and borrowing actions are temporarily not supported, please stay tuned, we will confirm the situation as soon as possible," it said.
  • The XCarnival team offered the hacker a 1,500 ETH bounty, an offer that seemingly been accepted after a wallet tagged as "XCarnival Exploiter" sent 1,467 ETH to the affected wallet, according to Etherscan.
  • According to the protocol's website, total value locked stands at 2992.05 ETH for borrows and 3014.69 ETH for supply.

DeFiHackExploitsNFTs

More For You

Protocol Research: GoPlus Security

By CoinDesk Research
Nov 14, 2025
Commissioned byGoPlus
GP Basic Image

What to know:

  • As of October 2025, GoPlus has generated $4.7M in total revenue across its product lines. The GoPlus App is the primary revenue driver, contributing $2.5M (approx. 53%), followed by the SafeToken Protocol at $1.7M.
  • GoPlus Intelligence's Token Security API averaged 717 million monthly calls year-to-date in 2025 , with a peak of nearly 1 billion calls in February 2025. Total blockchain-level requests, including transaction simulations, averaged an additional 350 million per month.
  • Since its January 2025 launch , the $GPS token has registered over $5B in total spot volume and $10B in derivatives volume in 2025. Monthly spot volume peaked in March 2025 at over $1.1B , while derivatives volume peaked the same month at over $4B.
View Full Report

More For You

Cascade Unveils 24/7 Neo-Brokerage Offering Perpetuals on Cryptos, U.S. Stocks

By Will Canny, AI Boost|Edited by Sheldon Reback
2 hours ago
Computer monitors and a laptop screen show trading charts on a desk overlooking an expanse of water at sunset. (sergeitokmakov/Pixabay, modified by CoinDesk)

The platform will let retail traders use one margin account to trade round-the-clock perpetual markets.

What to know:

  • Cascade has introduced a 24/7 brokerage-style app for perpetual markets spanning crypto, U.S. equities and private-asset exposure.
  • The firm is pitching a single, unified margin account with direct-to-bank U.S. dollar capability for deposits and withdrawals.
  • The company has raised $15 million from investors including Polychain Capital, Variant and Coinbase Ventures.

Read full story