OMNI, an NFT finance protocol that lends crypto to users in exchange for staked NFTs, has suffered a breach leading to the theft of 1,300 ETH ($1.43 million USD) as the hacker exploited the firm’s re-entrancy vulnerability protocol.
OMNI Suffers 1,300 ETH Exploit
On Sunday, June 10th, blockchain security company PeckShield reported that OMNI had suffered a re-entrancy exploit, through which a hacker had stolen more than 1,300 wETH ($1.4 million USD).
According to a postmortem conducted by BlockSec, the hacker deposited NFTs from the ‘Doodles‘ collection in order to borrow wrapped ETH (wETH). The hacker then used the Doodles NFT acquired with the initial loan as collateral to borrow more wETH.
However, OMNI failed to identify this as a new position, and thus allowed the hacker to withdraw the NFTs without paying back the loan.
No User Funds Were Stolen
According to OMNI, the protocol is still in its beta phase, and the stolen Ether was from internal testing funds. OMNI has since suspended its services, but confirmed that no customer funds were lost in the exploit.
Statement:
1/ OMNI is still in a testing (beta). No customer funds were lost, only internal testing funds were affected!
We have suspended the OMNI protocol until we completed the investigation and have everything reviewed again by external security and auditing firms.
— OMNI (@OMNI_xyz) July 10, 2022
On the Flipside
- On-chain data from Etherscan shows that the attacker has already laundered the funds using the infamous ‘Tornado Cash’ Ethereum mixing service for private transactions.
Why You Should Care
The high levels of activity in the NFT space have made it a prime target for hackers, who seek to exploit the vulnerabilities in NFT protocols.
For more on recent, high-profile NFT hacks check out:
Yuga Labs Discord Server Hacked: NFTs Worth Over 200 ETH Stolen
Beeple’s Twitter Account Hacked for $438K in Crypto and NFT Phishing Scam
High Profile Twitter Accounts Hacked, Spreading Azuki NFT Scams