OMNI – an NFT financialization protocol has fallen victim to a re-entrancy exploit, losing over 1,300 ETH, worth $1.4 million. It offers lending and borrowing services. Users can lend NFTs and other ERC-20 tokens to earn interest. In addition, these tokens can also be used as collateral for borrowing assets.
Reportedly, the hacker exploited a reentrancy vulnerability in the Omni protocol. Re-entrancy is a type of vulnerability in projects coded with Solidity. It enables a rogue actor to push its smart contract to make an external call to an untrusted contract.
This external call is executed before the original function and can thus be used to re-enter the protocol to compromise its liquidity repeatedly.
The development team has temporarily suspended the protocol and is investigating the exact cause of the attack. Moreover, as the protocol is still in its beta phase, no customer funds were stolen, just the internal testing funds were affected.
According to the Crypto security firm BlockSec, the attack was "due to the old-school reentrancy of onERC721Received." It also highlighted that the attacker used NFTs from a collection called Doodles to borrow ETH.
The attacker then exploited the reentrancy vulnerability by withdrawing all but keeping one of the NFTs deposited as collateral. This action activated a malicious callback function to the benefit of the attacker.
This function allowed the hacker to utilize the borrowed funds to purchase more Doodles before liquidating the loan.
The Doodle NFT used as collateral is returned to the attacker following the liquidation. This loan position is liquidated because the value of the collateral NFT is not sufficient to cover the debt position.
This is where the reentrancy comes into the picture, as the attacker can force through using the borrowed ETH to buy more NFTs before the liquidation occurs. The Omni protocol failed to recognize this new debt position, so the attacker could easily withdraw the NFTs without any re-payment.
As per Etherscan, the exploiter laundered the funds via Tornado Cash, a coin mixing service for private transactions on the Ethereum blockchain.
It seems that the DeFi and NFT space is constantly being plagued with such attacks, with bad actors making hundreds of millions of dollars. Recently, NFT lending pool XCarnival lost nearly $4 million in an exploit, though the hacker accepted a 1,500 ETH bounty.
One of the most prominent hacks was the Ronin Bridge, where attackers stole over $600 million. There are many speculations that North Korean hackers were behind this incident. Moreover, June Sales Of NFT stoop to a one-year low amid the ongoing Crypto Bear Market