Re-Entrancy Exploit Hits NFT Platform OMNI, Losing $1.4M in ETH

The NFT company, OMNI has temporarily paused all of its services and informed users that no consumer monies were stolen.
Re-Entrancy Exploit Hits NFT Platform OMNI, Losing $1.4M in ETH
Re-Entrancy Exploit Hits NFT Platform OMNI, Losing $1.4M in ETH

A re-entrancy attack caused OMNI, an NFT financial company that lends out cryptocurrencies in exchange for staked NFTs, to lose roughly 1,300 ETH, which was worth $1.4 million at the time.

Bad Debts from Poor Code

After staking NFTs from the Doodle collection in bad faith, the enterprise in question lost the money. The attacker first deposited Doodles as security for a loan of wrapped ETH before launching the hack (wETH). After the loan was confirmed, the exploiter had access to all Doodles but one, which allowed a callback function to cancel the debt that had been obtained by buying wETH.

The Doodle that was still on the platform after completing these two stages was insufficient to pay out the loan. The system then liquidated the situation and gave the remaining Doodles back to the attacker.

White Hat Appeal Has No Chance

Following recent attacks on DeFi, recently attacked developers have frequently made direct appeals to the hackers, promising to accept them as a white-hat event in exchange for the majority of all of the monies taken.

This has occasionally gone out well; for instance, the Optimism exploiter refunded the majority of the cash after seeking Vitalik Buterin’s counsel. When the devs at Harmony recently attempted the same strategy, they were blatantly disregarded as the stolen tokens were being laundered.

The attacker in this instance transmitted his freshly appropriated wETH right away to Tornado, a mixing service that hides the source of funds, so the appeal was never given an opportunity to be made. Due to this feature, fraudsters frequently use it when trying to launder illicit gains.

Suspended OMNI Protocol

The developers in charge have suspended the OMNI protocol, which is currently in beta, while they conduct audits and apply security updates. Additionally, OMNI developers stated that the hack did not affect any client payments, proving that the stolen wETH were “internal testing monies.”

“OMNI is still in testing (beta). No customer funds were lost, only internal testing funds were affected! We have suspended the OMNI protocol until we completed the investigation and have everything reviewed again by external security and auditing firms.”

Unfortunately, it appears that OMNI may have to stay in beta for a bit longer than initially anticipated, which is bad news for the project’s developers and supporters.