$1.4M In ETH Lost After Hackers Exploit NFT Platform OMNI

  • Approximately 1,300 ETH ($1.4 million) were lost after attackers exploited OMNI
  • The project, which is still in the BETA phase, has been suspended

On Sunday, NFT finance platform OMNI was attacked, leading to a loss of 1,300 Ether (ETH), worth around $1.4 million at the time of the exploit. 

OMNI, which lends out cryptocurrencies in exchange for NFT staking, lost the funds following bad faith NFT staking from the Doodle collection. The attacker first deposited Doodles as collateral to lend wrapped ETH (wETH). After securing the loan, they withdrew all doodles except one, resulting in a callback function that canceled the debt after the reentrancy point. This made the borrowed ETH a bad debt that the attacker was not required to pay.

Once the attacker was done with these two steps, the only Doodle left on the platform was no longer enough to cover the incurred debt. The system liquidated the position, which left the remaining Doodle in the hands of the attacker as well.

OMNI protocol suspension

The developers in charge have suspended the NFT protocol, which was already in the beta stage, while they conduct audits and apply security updates. Additionally, OMNI revealed that the hack did not affect any user funds, indicating that the stolen wETH were “internal testing funds.”

“OMNI is still in testing (beta). No customer funds were lost; only internal testing funds were affected! We have suspended the OMNI protocol until we complete the investigation and have everything reviewed again by external security and auditing firms.”

it stated

No chance for direct appeal

With rising DeFi attacks, attacked developers these days are frequently making direct appeals to the hackers, promising to accept them as a white-hat event in exchange for the majority or all of the funds returned. This has occasionally gone out well; for instance, the Optimism exploiter refunded the majority of the cash after seeking Vitalik Buterin’s advice.

However, OMNI never got a chance to make an appeal, as the investigation by PeckShield reveals that the reentrancy-related attackers mixed the stolen funds via the decentralized protocol TornadoCash, a mixing service that obfuscates the origin of funds. Using this, the attackers laundered all the stolen gains.

Parth Dubey Verified

A crypto journalist with over 3 years of experience in DeFi, NFT, metaverse, etc. Parth has worked with major media outlets in the crypto and finance world and has gained experience and expertise in crypto culture after surviving bear and bull markets over the years.

Latest News