NFT Platform OMNI lost $1.4M in ETH in a reentrancy attack

SNEAK PEEK

  • The platform has clarified that no customer funds’ have been stolen.
  • Services of OMNI have been suspended for the time being.
  • The attacker used non-fungible tokens to borrow ETH and after the reentrancy point, cleared the debt.

OMNI, an NFT money market, fell victim to a reentrancy attack that resulted in a loss of 1,300 ETH, though no real funds were stolen. The incident happened on July 10.

According to OMNI, no harm has been done to real funds since the protocol is in beta phase. It also assured that customer funds are safe and until further notice, OMNI will not proceed ahead.  

In a statement, OMNI shared:

We have suspended the OMNI protocol until we complete the investigation and have everything reviewed again by external security and auditing firms.

PeckShield too stated that the incident looked like a reentrancy-related hack.

BlockSec, crypto security firm concluded that the attack happened due to the old-school reentrancy of onERC721Receieved. Furthermore, it highlighted that the attacker borrowed ETH using NFTs. The borrowed ETH was then converted into bad debt that required no paying.

Though a thorough investigation happens after an attack, it hasn’t happened in this matter yet. It is a matter of relief that only internal testing funds were stolen. Both the NFT and DeFi space have encountered various attacks, which have resulted in loss of hundreds of millions of dollars. 

OMNI, being an NFT financialization protocol, offers borrowing and lending services. To earn interest, users can lend NFTs as well as other ERC-20 tokens. Moreover, the assets can be deployed to collateral in order to purchase assets. 

Though the NFT space has fallen in terms of sales, it is still the most active sector in the crypto market. As a result, hackers target it again and again to run  away with the funds. This year too a number of attacks have happened. Thankfully, the OMNI attack is not as severe as the platform was lucky enough to not lose real funds.