The non-fungible token money market platform, Omni suffered a flash loan reentrancy attack on Sunday, in which the platform lost over 1,300 ETH.
The stolen ETH tokens amount is around $1.43 million as per the current market price.
The attacker exploited the reentrancy vulnerability present in the Omni protocol. He executed the vulnerability by withdrawing all but one of the NFTs deposited as collateral. Ultimately, the move has launched a callback function in favor of the hacker.
The triggered function allowed the hacker to use the borrowed funds to buy even more Doodle NFTs before liquidating the loan position.
The remaining Doodle NFTs were returned back to the attacker from the original collateral after the position was liquidated.
Because the NFT price, which was given as collateral before the callback function occurred, was insufficient to pay off the debt position, the loan position has been liquidated.
This was the exact time when the attacker launched the reentrancy attack. Through this, the attacker was able to use borrowed WETH to buy more NFTs in the wake of liquidation.
The attacker put the Doodles as collateral to borrow more WETH. However, Omni couldn’t identify this new debt position and allowed the hacker to withdraw the NFTs without paying back the loan.
The attacker has used the coin mixer application Tornado Cash to drain funds on unknown addresses.
Omni Protocol posted a tweet about the attack and assured its customers that no customer funds were lost and only internal testing funds were affected!
The protocol has paused all activities on its platform to complete the investigation.