NFT finance Omni, developed by Parallel Finance, was hacked recently and lost around 1,300 Ethers worth $1.43 M in a flash loan reentrancy hack. The platform enables users to stake NFTs and receive tokens in return.
Related: Osmosis Hackers Return $2 M After the 5M Exploit
The blockchain data analytics company PeckShield tweeted that Omni's hacker attacked the protocol via a reentrancy vulnerability. It seems that the stolen funds were mixed via privacy platform Tornado Cash. Reentrancy is a smart contract exploit which takes place when a function executes an external call to some unsecured contract which can then get access to the funds by calling back the original function.
It seems a reentrancy-related hack. @ParallelFi @OMNI_xyz The stolen funds were just mixed via @TornadoCash https://t.co/Nyunlkk3rr pic.twitter.com/XxxVyX80Fq
— PeckShield Inc. (@peckshield) July 10, 2022
The Chief Executive Officer of the BlockSec Yajin Zhou told The Block that the attacker deposited assets from the NFT collection Doodles. They used the assets to borrow WETH.
Exploiting the vulnerability, the attacker withdrew all non-fungible tokens but one. Then, not compensating the loan, the hacker borrowed cryptos to acquire more Doodles. Using Doodles, the hacker got more wrapped ETHs. Later, they withdrew NFTs without repaying the loan.