Omni, a non-fungible token (NFT) platform was hacked for 1,300 ether (ETH) ($1.43 million) as the hacker exploited the firm’s reentrancy vulnerability protocol, according to a Twitter post by PeckShield.
— PeckShield Inc. (@peckshield) July 10, 2022
The NFT money market platform enables users to stake their NFTs on the site in exchange for tokens like ETH, which is typically open staking for well-known collections like Bored Ape Yacht Club.
The hackers borrowed wETH using NFTs from the famous Doodles collection as collateral, then withdrew all but one of the NFTs to carry out the re-entrancy attack. The attacker then used the Tornado Cash cryptocurrency mixer to launder the money.
This resulted in a malicious callback function being activated to the attacker’s advantage. This system allowed the hacker to use the borrowed money to buy additional Doodles before paying off the loan.
Because the value of the NFT used as collateral prior to activating the callback function was insufficient to support the debt position, the loan position is liquidated. Since the attacker can utilise the borrowed WETH to buy more NFTs before the liquidation, this is where reentrancy comes into play.
What is Reentrancy?
Projects written in Solidity are known to be vulnerable to reentrancy. It enables malicious actors to force a smart contract to make an untrusted contract call from outside the smart contract. Prior to the initial function, this external call is executed. As a result, it might be used to repeatedly re-enter the protocol to drain its liquidity.
Customers’ funds are not affected
More than 1,300 WETH ($1.4 million) of the protocol were lost in the attack, but Omni insisted that customer funds were unaffected. The platform is still under beta testing, according to the company, thus only internal testing money was affected.
1/ OMNI is still in a testing (beta). No customer funds were lost, only internal testing funds were affected!
We have suspended the OMNI protocol until we completed the investigation and have everything reviewed again by external security and auditing firms.
— OMNI (@OMNI_xyz) July 10, 2022
The procedure has reportedly been put on hold until an in-depth review is conducted, according to the NFT money market network. Data from Etherscan, however, indicates that the exploiter has already used Tornado Cash, an Ethereum coin mixing service for private transactions, to launder the funds.