Omni, a platform where users can take ETH loans using their NFT collateral, has lost over 1,300 ETH (or more than $1.45 million) of their funds in an exploit and immediately laundered through Tornado Cash.
According to an analysis by Peckshield, a reputable blockchain security firm, hackers bypassed Omni’s security systems through a flash loan reentrancy attack on Sunday, January 10, before wiping clean the decentralized money market’s coffers.
In a bid to improve the generally illiquid NFT market, whose trading volumes have been slumping in the past seven months in response to falling crypto prices, Omni allows holders to take ETH loans using popular NFTs such as BAYC, CryptoPunks, and others, as collateral.
Per Peckshield’s analysis, the exploit was through a flash loan reentrancy vector. It is a known flaw common with Solidity, the programming language behind Ethereum. As an illustration, the reentrancy attack was used to wreak havoc on the Ethereum DAO in 2016.
In a reentrancy attack, the hacker’s smart contract exploits the vulnerable contract by repeatedly calling the withdraw function before it updates its balance, draining funds.
Internal Funds Lost
Omni lost its fund after the hacker deposited Doodles NFTs for loans in WETH. Through the reentrancy vulnerability, they got back to the protocol to withdraw all, but one of the NFTs was used initially as collateral. The same NFTs were used to borrow WETH in a loop before the hacker eventually liquidated their position, leading to a $1.45 million loss for Omni.
The decentralized market has since clarified that the protocol is in beta and that only internal funds were lost during the hack. Omni’s testing has since been suspended until an external auditor thoroughly reviews the protocol.
OMNI is still in testing (beta). No customer funds were lost; only internal testing funds were affected! We have suspended the OMNI protocol until we completed the investigation and have everything reviewed again by external security and auditing firms.
NFT and DeFi protocols are not immune to hacks. Although the base layer might be secure, code flaws can be attack vectors leading to the loss of millions of dollars of user funds. As BlockMagnates reported, Ronin Network was hacked for $400 million in late March 2022.
- nft blockmagnates: Photo by Tezos on Unsplash