OMNI suffered a reentrancy hack and confirmed it would suspend the protocol until all parties auditing and investigating the attack are done.
NFT protocol OMNI has lost 1,300 ETH ($1.43 million) in internal testing funds to a recent reentrancy attack. According to OMNI, the attack did not affect any real funds as the protocol is still in its testing (beta) phase. While assuring it lost no customer funds, OMNI also said it will not move forward until further notice:
“We have suspended the OMNI protocol until we complete the investigation and have everything reviewed again by external security and auditing firms.”
Confirmation of OMNI Protocol Reentrancy Attack
Blockchain security company Peckshield later confirmed that it was a “reentrancy-related hack,” adding that the funds were mixed using transaction privacy platform Tornado Cash. A reentrancy attack happens between two smart contracts when one contract exploits another one’s code to drain it. The attacking smart contract does this by repeatedly calling the withdraw function until it drains the funds before the attacked contract updates its balance.
Popular blockchain security platform BlockSec also confirmed that it was a reentrancy attack and provided more details. In a tweet, BlockSec said the attacker used NFTs to borrow ETH and then cleared the debt after the reentrancy point. This made the borrowing a bad debt and removed the need for the attacker to repay.
Although OMNI has confirmed the attack, it has not yet provided a report or publicized any specifics. OMNI is an NFT protocol that functions as a money market that provides users with lending and borrowing services. OMNI users can lend ERC-20 tokens and NFTs, and use NFTs as collateral to borrow crypto.
NFT Hacks and Attacks
The NFT market has soared in recent times, becoming very popular and helping creators scoop a lot of money for selling their assets. As with any booming sector, this success inevitably calls the attention of illicit players who want to exploit the industry. However, the OMNI attack is a lucky one because although the attack was successful, the platform didn’t lose real funds.
Lending platform XCarnival was not so lucky as a hacker recently stole 3,087 ETH, nearly $4M million. According to Peckshield, a withdrawn pledged NFT was used as collateral, something the hacker then exploited to drain the platform. Interestingly, the hacker agreed to return the funds if they could keep 1,500 ETH without any legal consequences. Peckshield later confirmed that the hacker returned 1467 ETH after withdrawing the initial 120 ETH used to launch the attack.
One of the largest NFT attacks is the Ronin Network’s loss of more than $615 million in ETH and USDC. In late March, an attacker drained 173,500 ETH and 25.5 million USDC with stolen private keys. Using these keys, the hacker signed transactions from five of Ronin’s nine validator nodes.
At the moment, the NFT market seems to be losing some steam. Although the total volume hit $4 billion in May, it was a 44% plunge from the $7.18 billion recorded in April. Back in January, the total sales volume was nearly $16.57 billion, 75% higher than the May figure.
next