OMNI – an NFT finance platform that lends out cryptocurrency in exchange for staked NFTs – fell victim to a re-entrancy exploit that led to the loss of nearly 1,300 ETH, worth $1.4 million at the time.
It seems a reentrancy-related hack. @ParallelFi @OMNI_xyz The stolen funds were just mixed via @TornadoCash https://t.co/Nyunlkk3rr pic.twitter.com/XxxVyX80Fq
— PeckShield Inc. (@peckshield) July 10, 2022
Bad Debts Due to Bad Code
The project in question lost the funds following a bad faith staking of NFTs from the Doodle collection. In order to carry out the attack, the perpetrator first deposited Doodles as collateral for a loan of wrapped ETH (wETH). Once the loan was secured, the exploiter was able to withdraw all Doodles except for one, causing a callback function that voided the debt acquired by purchasing wETH.
Once these two steps were completed, the Doodle remaining on the platform was no longer enough to cover the debt incurred. The position was then liquidated by the system, returning the last of the Doodles to the attacker as well.
No Chance for a White Hat Appeal
In the wake of recent attacks on DeFi, recently exploited devs have often made open appeals to those behind the hack, offering to consider them as a white-hat event in return for most or all of the stolen funds.
In some cases, this has worked out nicely – the Optimism exploiter, for instance, returned most of the funds after asking for Vitalik Buterin’s advice. The devs at Harmony recently tried the same approach but were summarily ignored as the laundering of the stolen tokens commenced.
In this case, the appeal never had a chance to be made, as the attacker immediately sent his newly appropriated wETH to Tornado, a mixing service that obfuscates the origin of funds. Due to this capability, it is often used by cybercriminals attempting to launder ill-begotten gains.
OMNI Protocol Suspended
The OMNI protocol – still in beta – has been shut down by the devs in charge, pending audits and security patches. Furthermore, OMNI devs confirmed that no customer funds were affected by the exploit, indicating that the misappropriated wETH were “internal testing funds.”
“OMNI is still in testing (beta). No customer funds were lost, only internal testing funds were affected! We have suspended the OMNI protocol until we completed the investigation and have everything reviewed again by external security and auditing firms.”
Unfortunately for the devs and fans of the project, it looks like OMNI will have to remain in beta for a while longer than previously planned.