NFT Lender ‘Omni’ Exploited for $1.4m in Reentrancy Attack

In circumstances similar to early May’s US$80 million exploit of DeFi platform Rari Capital, NFT money market platform Omni lost 1300 ETH (about US$1.43 million) in a flash loan reentrancy attack last weekend:

According to a tweet from blockchain security firm PeckShield, the July 10 attack took the form of a hacker using NFTs from a collection called Doodles as collateral to borrow wrapped ETH (WETH). The hacker exploited the reentrancy vulnerability by withdrawing all but one of the Doodle NFTs. This triggered a malicious callback function enabling the hacker to use the borrowed funds to buy even more Doodles before liquidating the loan position.

Hacker Uses Borrowed WETH to Buy More NFTs

The remaining NFT was never going to cover the debt position, which is where the reentrancy came in – the attacker was able to use the borrowed WETH to buy more NFTs prior to liquidating the loan.

According to a statement from Omni, the exploit did not impact any customers as only internal testing funds were affected, since the platform is still in beta testing mode and has since paused all operations pending a thorough investigation:

Data from Etherscan shows the hacker has already laundered the funds via Tornado Cash. This increasingly common modus operandi was also deployed when MM.Finance, the largest DeFi exchange on Cronos, had a vulnerability in its Domain Name System exploited in May, less than a week after the Rari Capital hack.