Omni, a non-fungible token (NFT) money market platform, was drained of about 1,300 ETH ($1.43 million) in a flash loan reentrancy attack on Sunday, according to PeckShield.
Omni allows users to stake their NFTs, usually from popular collections like Bored Ape Yacht Club, to receive tokens like ether (ETH).
Today’s attack saw the hacker exploit a reentrancy vulnerability in the Omni protocol. Reentrancy is a known vulnerability in projects coded with Solidity that allows a rogue actor to force its smart contract to make an external call to an untrusted contract. This external call is executed before the original function and can thus be used to repeatedly re-enter the protocol to drain its liquidity.
Yajin Zhou, CEO of blockchain security company BlockSec, explained the process of the exploit to The Block, saying that the attacker deposited NFTs from a collection called Doodles. These NFTs were used as collateral to borrow wrapped ETH (WETH).
The attacker then exploited the reentrancy vulnerability by withdrawing all but one of the NFTs deposited as collateral. This action triggered a malicious callback function to the benefit of the attacker. This function allowed the hacker to use the borrowed funds to buy even more Doodles before liquidating the loan position.
Once the position is liquidated, the remaining Doodle NFT from the original collateral is returned back to the attacker. The loan position is liquidated because the value of the NFT that was initially left as collateral before the callback function was invoked was not sufficient to cover the debt position. This is where the reentrancy comes in, as the attacker is able to force through using the borrowed WETH to buy more NFTs before the liquidation occurs.
The attacker then used the Doodles acquired with the initial loan as collateral to borrow more WETH. Omni, however, did not recognize this new debt position, so the hacker could withdraw the NFTs without paying back the loan.
The attack drained more than 1,300 WETH ($1.4 million) from the protocol. Omni said that the exploit did not affect any customer funds as only internal testing funds were impacted, since the platform is still in beta testing mode.
The NFT money market platform said that it has paused the protocol pending a complete investigation. Data from Etherscan shows the exploiter has already laundered the funds via Tornado Cash, a coin mixing service for private transactions on Ethereum.
© 2023 The Block. All Rights Reserved. This article is provided for informational purposes only. It is not offered or intended to be used as legal, tax, investment, financial, or other advice.