XCarnival announced an investment of 5000 ETH over the next two years to create the "Security Star" program

On June 26, attackers exploited a contract vulnerability, resulting in a direct loss of 3087 ETH for the XCarnival platform. The XCarnival team members have been working tirelessly, and after multiple rounds of negotiations with the attackers, they have recovered 1467 ETH in the first phase. To demonstrate industry responsibility and protect the interests of XCarnival users and ecosystem partners, XCarnival has launched the "Security Star" program, which mainly includes two parts: smart contract security and an insurance fund, with plans to continuously invest 5000 ETH over the next two years to ensure the safety of the platform and user assets.

Regarding smart contract security, XCarnival stated that as a multi-chain liquidity provider for NFTs, in response to the increasing security challenges, XCarnival has further strengthened its internal cross-audit mechanism and, based on its collaboration with CertiK (which had previously issued an audit report, and CertiK has provided an official clarification regarding this attack to prove that XCarnival's official smart contracts have passed CertiK's audit), has introduced a new external auditing agency, Peck Shield, and will soon launch a vulnerability bounty program.

In terms of the insurance fund, the XFund has been established, primarily aimed at XCarnival itself and its ecosystem partners, with an expected investment of 5000 ETH over the next two years. The main functions of the fund are:

1. The fund will be independently operated by the XCarnival DAO, with the purpose of ensuring the safety of assets and funds on the XCarnival platform.
2. The fund will be responsible for compensating losses incurred by the platform under extreme circumstances due to non-human factors; after the fund is established, it will first compensate the unrecovered portion from the incident (1620 ETH).
3. In the event of liquidation of borrowed assets, the fund will act as the initiator of the liquidation based on the actual situation of the assets to ensure the safety of the borrowed assets.

The proposal of the "Security Star" program is an innovative exploration in the NFTFi industry. Early investors in XCarnival, including A&T, Fundamental Labs, SNZ, GSR, Zonff Partners, and Metasense, have expressed their continued trust and support for XCarnival's development. Meanwhile, XCarnival's ecosystem partners, including Project Galaxy, NFTScan, Solv Protocol, and NFTGo, will continue to support XCarnival in participating in ecosystem co-construction. It is reported that XCarnival's smart contracts will be restarted in about three weeks to continue serving users.

Appendix: Timeline of the incident

1. Attack Occurs (2022-06-26 20:02:46)

2. Contract Closure (2022-06-26 22:00:00)
   Media Report
   Twitter Announcement

3. Negotiations Initiated (2022-06-26 23:29:39)
   On-chain Message
   Media Report
   Twitter Announcement

4. Recovery of Partial Loss (1467 ETH 2022-06-27 13:45:58)
   On-chain Message
   Media Report
   Twitter Announcement

5. New Audit Initiated (2022-06-28 19:19:00)

6. Announcement of Security Star Program

7. Contract Restart (In the next 3 weeks)