- The platform has clarified that no customer funds’ have been stolen.
- Services of OMNI have been suspended for the time being.
- The attacker used non-fungible tokens to borrow ETH and after the reentrancy point, cleared the debt.
OMNI, an NFT money market, fell victim to a reentrancy attack that resulted in a loss of 1,300 ETH, though no real funds were stolen. The incident happened on July 10.
1/ OMNI is still in a testing (beta). No customer funds were lost, only internal testing funds were affected!
We have suspended the OMNI protocol until we completed the investigation and have everything reviewed again by external security and auditing firms.
— OMNI (@OMNI_xyz) July 10, 2022
According to OMNI, no harm has been done to real funds since the protocol is in beta phase. It also assured that customer funds are safe and until further notice, OMNI will not proceed ahead.
In a statement, OMNI shared:
We have suspended the OMNI protocol until we complete the investigation and have everything reviewed again by external security and auditing firms.
PeckShield too stated that the incident looked like a reentrancy-related hack.
It seems a reentrancy-related hack. @ParallelFi @OMNI_xyz The stolen funds were just mixed via @TornadoCash https://t.co/Nyunlkk3rr pic.twitter.com/XxxVyX80Fq
— PeckShield Inc. (@peckshield) July 10, 2022
BlockSec, crypto security firm concluded that the attack happened due to the old-school reentrancy of onERC721Receieved. Furthermore, it highlighted that the attacker borrowed ETH using NFTs. The borrowed ETH was then converted into bad debt that required no paying.
1/ Now it’s safe to disclose the root cause. The attack(https://t.co/iitml2DybH) on Omni Protocol @ParallelFi is due to the old-school reentrancy of onERC721Received.
— BlockSec (@BlockSecTeam) July 10, 2022
Though a thorough investigation happens after an attack, it hasn’t happened in this matter yet. It is a matter of relief that only internal testing funds were stolen. Both the NFT and DeFi space have encountered various attacks, which have resulted in loss of hundreds of millions of dollars.
OMNI, being an NFT financialization protocol, offers borrowing and lending services. To earn interest, users can lend NFTs as well as other ERC-20 tokens. Moreover, the assets can be deployed to collateral in order to purchase assets.
Though the NFT space has fallen in terms of sales, it is still the most active sector in the crypto market. As a result, hackers target it again and again to run away with the funds. This year too a number of attacks have happened. Thankfully, the OMNI attack is not as severe as the platform was lucky enough to not lose real funds.