NFT lending platform OMNI lost 1,300 ETH worth about $1.43 million due to a hacker attack. OMNI allows users to stake NFTs from popular collections (such as Bored Ape Yacht Club) and reward them with ETH.
During the attack, the hacker used a reentrancy vulnerability in the OMNI protocol (a known vulnerability in projects written with Solidity that allows a hacker to force a smart contract to make an external call to an unverified contract).
The CEO of blockchain security firm BlockSec, Yazin Zhou, said the hacker deposited NFTs from a collection called Doodles. These NFTs were used as collateral to borrow tokenized ETH.
The hacker then exploited the vulnerability by withdrawing all but one of the NFTs deposited as collateral. This action triggered a malicious callback function on the hacker’s behalf, allowing him to use the borrowed funds to buy more Doodles before liquidating his credit.
After liquidating the position, the rest of Doodle from the original collateral is returned to the hacker. The credit position is liquidated because the value of the NFT left as collateral before the callback function was called was insufficient to cover the debt.
The hacker then used the Doodles from the original loan as collateral to borrow more ETH. However, OMNI did not recognize the new debt position, so the hacker was able to withdraw the NFT without repaying the loan.
Statement:
1/ OMNI is still in a testing (beta). No customer funds were lost, only internal testing funds were affected!
We have suspended the OMNI protocol until we completed the investigation and have everything reviewed again by external security and auditing firms.
— OMNI (@OMNI_xyz) July 10, 2022
The attack stripped the protocol of over 1300 ETH. According to the project, the exploit did not affect customer funds, as only the funds allocated for testing were affected.
