A non-fungible token (NFT) platform, Omni was hacked for 1,300 ether (ETH) ($1.43 million) as the hacker exploited the company’s protocol reentrancy vulnerability, according to PeckShield.
The NFT money market platform allows users to stake their NFTs on the platform, normally open staking for popular collections like Bored Ape Yacht Club, to receive tokens like ETH.
Although the hacker was able to drain more than 1,300 wETH ($1.4 million), the ERC20 tradable version of ETH, Omni said the theft did not affect customer funds. The company added that only internal testing funds were impacted as the platform is still in beta testing mode.
The protocol has been put on hold for a full investigation, according to the NFT company.
According to The Block, projects coded with Solidity are vulnerable to reentrancy. It allows hackers to force their smart contract to make an external call to an untrusted contract.
For this nature of the hack, Yajin Zhou – CEO of blockchain security firm BlockSec – told The Block that the hacker had deposited NFTs from a collection called Doodles, which were used to borrow wrapped ETH (WETH ), tokenized versions of cryptocurrencies that are pegged to the value of the original coin.
After depositing and liquidating the position, the remaining Doodle NFT from the original collateral is returned to the attacker.
Zhou added that hackers often liquidate the loan position because the value of the NFT left as collateral before the callback is invoked is not enough to cover the debt position. To solve this problem, hackers usually rely on reentrancy, as they are able to force the use of borrowed WETH to buy more NFTs before liquidation.
Furthermore, Zhou added that the hacker then used the NFT Doodles acquired with the original loan as collateral to borrow more WETH. However, since Omni had not recognized this new position, the hacker could withdraw the NFTs without repaying the loan.
According to The Block, data from Etherscan shows that the attacker has already laundered the funds through a coin mixing service for private transactions on Ethereum called Tornado Cash.
Image source: Shutterstock