Non-fungible Token company, Omni is the next company to suffer a breach that has been exploited by an attacker to steal digital assets and collectibles. This particular type of attack used by the hacker is called a re-entrancy attack and was executed on the Omni platform.
For clarity, Omni is a financial company that lends cryptocurrencies in exchange for NFTs that are staked as collateral. The recent attack caused the company to lose 1,300 ETH which was worth a whopping $1.4 million at the time of the attack.
The attacker first took a loan of Wrapped ETH (WETH), depositing a Doodles NFT as collateral for that loan before the attack. After the loan was approved and the hack commenced, the hacker had access to all Doodle NFTs bar one.
This now activated a call-back order to cancel the debt that the exploiter owed by buying WETH. The Doodle that remained on the Omni platform after the hacker completed those two stages was now insufficient to repay the WETH loan. The system then automatically liquidated the hacker’s position and gave the remaining Doodle NFTs back to the exploiter.
Following recent DeFi hacks, devs have made white-hat appeals to hackers to exchange the majority of the loot for an agreed amount they can keep. This has worked occasionally like when the exploiter of the Optimism platform returned a majority of the stolen funds after consulting Buterin’s counsel.
However, the tactic doesn’t seem to be working anymore e.g. when the Harmony devs tried to apply this tactic, they were ignored and the entirety of the stolen funds was laundered. In Omni’s case, the attacker used Tornado (a service that hides the source of funds) to launder his stolen WETH right away giving no chance for a white hat plea message to be transmitted.
Omni’s developers have suspended activities on the platform to allow for audits and investigations while they apply security updates. Omni also released a statement that the stolen funds did not belong to any client as the stolen WETH was intended for internal testings.
Much to the displeasure and disappointment of the project’s developers and supporters, it, unfortunately, appears that the Omni protocol might have to remain in Beta for some more time. The NFT space has continued to be targeted by hackers even in the current market downtrend and users are becoming increasingly skeptical of the security of their digital assets.
Featured image source: blog.nfthi.io