Companies Editor's Picks News NFT

Hacker Steals $1.4 Million Worth of ETH from Omni, an NFT Lender

Hacker steals $1.4 million worth of ETH from Omni, an NFT lender

Omni, a non-fungible token (NFT) platform was hacked for 1,300 ether (ETH) ($1.43 million) as the hacker exploited the firm’s reentrancy vulnerability protocol, according to a Twitter post by PeckShield.

The NFT money market platform enables users to stake their NFTs on the site in exchange for tokens like ETH, which is typically open staking for well-known collections like Bored Ape Yacht Club.

The hackers borrowed wETH using NFTs from the famous Doodles collection as collateral, then withdrew all but one of the NFTs to carry out the re-entrancy attack. The attacker then used the Tornado Cash cryptocurrency mixer to launder the money.

This resulted in a malicious callback function being activated to the attacker’s advantage. This system allowed the hacker to use the borrowed money to buy additional Doodles before paying off the loan.

Hacker steals $1.4 million worth of ETH from Omni, an NFT lender

Because the value of the NFT used as collateral prior to activating the callback function was insufficient to support the debt position, the loan position is liquidated. Since the attacker can utilise the borrowed WETH to buy more NFTs before the liquidation, this is where reentrancy comes into play.

What is Reentrancy?

Projects written in Solidity are known to be vulnerable to reentrancy. It enables malicious actors to force a smart contract to make an untrusted contract call from outside the smart contract. Prior to the initial function, this external call is executed. As a result, it might be used to repeatedly re-enter the protocol to drain its liquidity.

Customers’ funds are not affected

More than 1,300 WETH ($1.4 million) of the protocol were lost in the attack, but Omni insisted that customer funds were unaffected. The platform is still under beta testing, according to the company, thus only internal testing money was affected.

The procedure has reportedly been put on hold until an in-depth review is conducted, according to the NFT money market network. Data from Etherscan, however, indicates that the exploiter has already used Tornado Cash, an Ethereum coin mixing service for private transactions, to launder the funds.

Related posts

IMF Publishes Cryptocurrency Explainer, Asserts It ‘Could Be the Next Step in the Evolution of Money’

ibrahim

ETH/USD: technical analysis course on December 19-20 2018

alfonso

Telegram To Pay $18.5m in Fine

ibrahim