NFT Lender Omni Hacked for 1,300 ETH

According to PeckShield, the non-fungible token (NFT) platform Omni was hacked for 1,300 ether (ETH) ($1.43 million) as the hacker exploited the firm's reentrancy vulnerability protocol.

The NFT money market platform enables users to stake their NFTs on the platform, which is typically open staking for popular collections such as Bored Ape Yacht Club, in order to receive tokens like as ETH.

Despite the fact that the hacker was able to steal more than 1,300 wETH ($1.4 million), the ERC20 marketable version of ETH, Omni maintained that the loss had no impact on users' funds. Because the technology is currently under beta testing, only internal testing money were impacted, according to the company.

According to the NFT firm, the practice has been paused pending a thorough examination.

According to The Block, Solidity-coded projects are subject to reentry. It enables hackers to force their smart contract to call an untrusted contract.

The hacker deposited NFTs from a collection called Doodles, which were used to borrow wrapped ETH (WETH), tokenized copies of cryptocurrencies that are tethered to the value of the original coin, according to Yajin Zhou, CEO of blockchain security company BlockSec.

Following the deposit and liquidation of the position, the attacker receives the leftover Doodle NFT from the original collateral.

Zhou said that hackers frequently liquidate the loan position because the value of the NFT left as collateral prior to invoking the callback function is insufficient to pay the debt position. To combat this, hackers often rely on reentrancy, which allows them to push their way through using borrowed WETH to purchase more NFTs before the liquidation occurs.

Zhou also stated that the hacker utilized the Doodles NFT obtained with the initial transaction as collateral to borrow more WETH. However, because Omni failed to identify this altered situation, the hacker was able to withdraw the NFTs without repaying the loan.

According to The Block, data from Etherscan suggests that the attacker has already laundered the cash through Tornado Cash, a coin mixing service for private transactions on Ethereum.

As a reminder, WikiBit is ready to help you search the qualifications and reputation of projects in a bid to protect you from hidden dangers in this risky industry!

iOS: t.ly/UUCj

Android: t.ly/cfYt