OMNI, an NFT platform that uses staked NFTs as collateral to lend crypto loans, was hit by a flash loan attack on July 10, causing it to lose 1300 ETH ($1.4M). The perpetrator used a re-entrancy exploit to carry out the attack and escaped with the funds in the form of wETH.
OMNI lost funds when a hacker deposited NFTs from the popular Doodles collection and used them as collateral to issue a loan in wrapped Ethereum (wETH).
Blockchain security firm BlockSec gave a post-mortem account of the flash loan attack. After borrowing a wETH loan against Doodles NFT, the hacker took advantage of the re-entrancy exploit by withdrawing all but one NFT, thus allowing them to default the initial loan by generating a callback function.
Once the position was liquidated, the remaining NFT was returned to the hacker as the value of the NFT was insufficient to pay back the initial loan.
Etherscan revealed that the perpetrator sent their newly acquired wETH through Tornado Cash. Since Tornado Cash is a coin mixing service that makes it hard to detect the origin of funds, the hacker was able to escape with the appropriated funds.
Following the attack during its beta testing, the developers began suspending the OMNI Protocol to investigate and review the situation with external security firms. OMNI also reported that no customer funds were lost; only internal testing funds were lost as OMNI was in beta testing mode when the attack was carried out.