NFT Lender Omni Hacked for 1,300 ETH

Non-fungible token (NFT) platform, Omni was hacked for 1,300 ether (ETH) ($1.43 million) as the hacker exploited the firm's reentrancy vulnerability protocol, according to PeckShield.

The NFT money market platform allows users to stake their NFTs on the platform, normally open staking for popular collections like Bored Ape Yacht Club, to receive tokens like ETH.

Although the hacker was able to drain out more than 1,300 wETH ($1.4 million), the ERC20 tradable version of ETH, Omni stated that the theft did not affect customers' funds. The company added that only internal testing funds were impacted as the platform is still in beta testing mode.

The protocol has been suspended for a complete investigation, according to the NFT company.

According to The Block, projects coded with Solidity are vulnerable to reentrancy. It allows hackers to force their smart contract to make an external call to an untrusted contract. 

For this nature of the hack, Yajin Zhou - CEO of blockchain security company BlockSec - told The Block that the hacker deposited NFTs from a collection called Doodles, which were used to borrow wrapped ETH (WETH), tokenized versions of cryptocurrencies that are pegged to the value of the original coin.

Following the deposit and liquidation of the position, the remaining Doodle NFT from the original collateral is returned back to the attacker.

Zhou added that hackers often liquidate the loan position as the value of the NFT left as collateral before the callback function was invoked isn't sufficient to cover the debt position. To tackle this, hackers typically rely on reentrancy as they are able to force through using borrowed WETH to buy more NFTs before the liquidation occurs.

Furthermore, Zhou added that the hacker then used the Doodles NFT acquired with the initial loan as collateral to borrow more WETH. However, as Omni had failed to recognize this new position, the hacker could withdraw the NFTs without paying back the loan.

According to The Block, data from Etherscan shows the attacker has already laundered the funds via a coin mixing service for private transactions on Ethereum called Tornado Cash.