NFT platform OMNI hit by re-entrancy exploit, lost $ 1.4 million in ETH
OMNI – an NFT financing platform that lends cryptocurrencies in exchange for invested NFTs – fell victim to a re-entry that led to the loss of nearly 1,300 ETH, worth $ 1.4 million at the time.
It seems like a reentrancy-related hack. @ParallelFi @OMNI_xyz The stolen funds were only mixed via @TornadoCash pic.twitter.com/XxxVyX80Fq
– PeckShield Inc. (@peckshield) July 10, 2022
Bad debt due to bad code
The project in question lost funds after a bad faith effort by NFTs from the Doodle collection. To carry out the attack, the perpetrator first deposited Doodles as security for a loan of wrapped ETH (wETH). Once the loan was secured, the lender was able to withdraw all but one of the Doodles, causing a repayment feature that canceled the debt acquired by purchasing VET.
When these two steps were completed, the Doodle left on the platform was no longer sufficient to cover the debt incurred. The position was then liquidated by the system, and also returned the last of Doodles to the attacker.
No chance of a White Hat appeal
In the wake of recent attacks on DeFi, newly exploited developers have often appealed openly to those behind the hack, offering to view them as a white-hat event in return for most or all of the stolen funds.
In some cases, this has worked well – the Optimism user, for example, returned most of the funds after asking for advice from Vitalik Buterin. Developers at Harmony recently tried the same approach, but were summarily ignored when the laundering of the stolen tokens began.
In this case, the appeal never had a chance to be made, as the attacker immediately sent his newly acquired wETH to Tornado, a blending service that obscures the origins of funds. Because of this ability, it is often used by cybercriminals who try to launder bad profits.
The OMNI protocol has been suspended
The OMNI protocol – still in beta – has been shut down by the responsible developers, pending revisions and security updates. Furthermore, OMNI developers confirmed that no customer funds were affected by the utilization, indicates that the abused WETH was «internal test means».
“OMNI is still in testing (beta). No customer funds were lost, only internal test funds were affected! We have suspended the OMNI protocol until we have completed the survey and have all been reviewed by external security and audit firms.”
Unfortunately for the developers and fans of the project, it seems that OMNI must remain in beta for a while longer than previously planned.
Binance Free $ 100 (Exclusive): Use this link to sign up and receive $ 100 free and 10% off Binance Futures first month (terms).
PrimeXBT Special Offer: Use this link to sign up and enter the POTATO50 code to receive up to $ 7,000 on your deposits.
