Post Friends My journal
dartwalker

Hacker Stole $1.4 million Worth of ETH from NFT Omni Lender

Jul 11, 2022 06:45







The attacker took advantage of the re-entry vulnerability to withdraw funds from Omni. The exploit siphoned about $1.4 million from the NFT financial platform.
According to PeckShield, Omni, a non-exchangeable token (NFT) money market platform, lost about 1,300 ETH worth $1.43 million on Sunday as a result of a re-entry credit attack.

Omni allows users to place their NFTS, usually from popular collections such as the Bored Ape Yacht Club, as collateral to borrow tokens such as Ether (ETH).

During today's attack, the hacker exploited the vulnerability of re-entering the Omni protocol. Re-entry is a known vulnerability in projects written with Solidity that allows an attacker to force his smart contract to make an external call to an unreliable contract. This external call is executed before the original function and thus can be used to repeatedly re-enter the protocol to deplete its liquidity.

Yajin Zhou, CEO of BlockSec, a blockchain security company, explained the exploit process by stating that the attacker deposited NFT from a collection called Doodles. These NFTs were used as collateral for borrowing ETH (WETH).

The attacker then exploited the re-entry vulnerability by removing all but one of the NFTs deposited as collateral. This action activated a malicious callback function in the interests of the attacker. This feature allowed the hacker to use borrowed funds to buy even more doodles before liquidating the credit position.

As soon as the position is liquidated, the remaining part of the Doodle NFT from the source software is returned to the attacker. The credit position is being liquidated because the value of the NFT, which was initially left as collateral before the callback function was called, was insufficient to cover the debt position. This is where re-entry occurs, as an attacker can force the borrowed WETH to buy more NFT before liquidation takes place.

The attacker then used the doodles obtained with the initial loan as collateral to borrow more WETH. However, Omni did not recognize this new debt position, so the hacker could revoke the NFT without repaying the loan.

The attack deprived the protocol of more than 1,300 WETH ($1.4 million). Omni said that the exploit did not affect customer funds, as only internal testing funds were affected, since the platform is still in verification mode.

The NFT money market platform said it had suspended the protocol until the investigation was completed. Etherscan data shows that the hacker has already laundered funds through Tornado Cash (TORN), a coin mixing service for private transactions on Ethereum.

https://coin-signal.com/cryptonews/hacker-stole-1-4-million-worth-of-eth-from-nft-omni-lender/
#14, #Cryptonews, #Eth, #Fraud, #Hack, #Hacker, #Lender, #Million, #Nft, #Omni, #PATTERN, #Stole, #Worth
#CryptoNews, #HackFraud

eth, #omni, #worth, #stole, $1.4, #hacker, #eth, hacker, #hackfraud, #cryptonews, fraud, #lender, #nft, omni, hack, pattern, #pattern, million, #hack, worth, lender, nft, #fraud, cryptonews, stole, #million

Leave a comment

Previous post Next post
Up
Homepage Read journal... Full version Help Русская версия
© 1999-2024 LiveJournal, Inc.