To drain Omni’s funds, the attacker used a reentrancy vulnerability. The NFT finance platform was siphoned of approximately $1.4 million by the exploit.
Omni, a non-fungible token money market platform (NFT), was depleted of approximately 1,300 Ethereum ($1.43 Million) in a flash loan repayment attack on Sunday, according PeckShield.
Omni allows users to stake NFTs from popular collections such as Bored Ape Yacht Club to get tokens like ether.
Today’s attack saw the hacker exploit an reentrancy flaw in Omni protocol. Solidity projects have a vulnerability called reentry that allows a rogue actor or hacker to force a smart contract to call an untrusted contract. This external call is made before the original function, and can be used repeatedly to re-enter the protocol in order to drain its liquidity.
Yajin Zhou is the CEO of Blockchain Security Company BlockSec. He explained to The Block the process of exploit by saying that the attacker had deposited NFTs in a collection called Doodles. These NFTs were used to secure ETH (WETH) borrowing.
The attacker exploited this reentrancy vulnerability and withdrew all but one NFTs that had been deposited as collateral. This action activated the malicious callback function for the attacker’s benefit. This function enabled the hacker use the borrowed funds for even more Doodles, before he liquidated the loan position.
The attacker is entitled to any Doodle NFT remaining from the original collateral once the position has been liquidated. Because the NFT originally left as collateral prior to the callback function being invoked was insufficient to cover the loan, the loan position is liquidated. The attacker can use the borrowed WETH to purchase more NFTs, which is when the reentrancy is possible.
To borrow more WETH, the attacker used the Doodles he had obtained with the original loan. Omni did not recognize the new debt situation and the hacker was able to withdraw the NFTs, without having to repay the loan.
The protocol was impacted by the attack which took more than 1,300 WETH (or $1.4 million). Omni stated that the exploit didn’t affect customer funds, as only internal testing funds were affected. The platform is still in beta testing mode.
NFT Money Market Platform stated that the protocol has been halted pending an investigation. Data from Etherscan reveals that the exploiter has already laundered funds via Tornado Cash , a cryptocurrency mixing service used for private transactions on Ethereum.