Home

/
/
Omni, an NFTs-for-ETH Loans Platform, Hacked for over $1.45 Million

Omni, an NFTs-for-ETH Loans Platform, Hacked for over $1.45 Million

Omni, an NFTs-for-ETH loans protocol, lost $1.45 million of their internal testing ETH to a hacker on July 10, 2022.
Dalmas

July 11, 2022

Introduction​

Omni, a platform where users can take ETH loans using their NFT collateral, has lost over 1,300 ETH (or more than $1.45 million) of their funds in an exploit and immediately laundered through Tornado Cash.

Omni Hacked

According to an analysis by Peckshield, a reputable blockchain security firm, hackers bypassed Omni’s security systems through a flash loan reentrancy attack on Sunday, January 10, before wiping clean the decentralized money market’s coffers.

Omni Hack

In a bid to improve the generally illiquid NFT market, whose trading volumes have been slumping in the past seven months in response to falling crypto prices, Omni allows holders to take ETH loans using popular NFTs such as BAYC, CryptoPunks, and others, as collateral.

Per Peckshield’s analysis, the exploit was through a flash loan reentrancy vector. It is a known flaw common with Solidity, the programming language behind Ethereum. As an illustration, the reentrancy attack was used to wreak havoc on the Ethereum DAO in 2016.

In a reentrancy attack, the hacker’s smart contract exploits the vulnerable contract by repeatedly calling the withdraw function before it updates its balance, draining funds.

Internal Funds Lost

Omni lost its fund after the hacker deposited Doodles NFTs for loans in WETH. Through the reentrancy vulnerability, they got back to the protocol to withdraw all, but one of the NFTs was used initially as collateral. The same NFTs were used to borrow WETH in a loop before the hacker eventually liquidated their position, leading to a $1.45 million loss for Omni.

Doodles NFTs

The decentralized market has since clarified that the protocol is in beta and that only internal funds were lost during the hack. Omni’s testing has since been suspended until an external auditor thoroughly reviews the protocol.

OMNI is still in testing (beta). No customer funds were lost; only internal testing funds were affected! We have suspended the OMNI protocol until we completed the investigation and have everything reviewed again by external security and auditing firms.

NFT and DeFi protocols are not immune to hacks. Although the base layer might be secure, code flaws can be attack vectors leading to the loss of millions of dollars of user funds. As BlockMagnates reported, Ronin Network was hacked for $400 million in late March 2022.

Image Source

Dalmas

Dalmas is an active cryptocurrency content creator and highly regarded technical analyst. He’s passionate about blockchain technology and the futuristic potential of cryptocurrencies.

Get the day’s top crypto news and insights delivered to your inbox every evening.

Subscribe to Blockworks’ free newsletter now.

More articles

SEE ALL

Aave DAO, the governance body of the Aave Protocol, have voted…
Bitcoin prices are moving higher following the U.S. FED decision to…
Kraken will likely get a fine from the U.S. Treasury Department…
Bit.com, a full suite cryptocurrency exchange, announced the release of USD…