NFT lending platform Omni has been hit by a flash-loan attack and lost 1,300 ETH worth around $1.5 million. Omni recorded a re-entrancy attack on the beta-version of its protocol. The incident took place on July 10.
Omni tweeted that the platform is still in the testing phase and no customer funds were lost. The NFT money market lost only internal testing funds. As such, the platform suspended the Omni protocol. It is currently carrying out investigations and has been reviewed by external security and auditing firms.
PeckShield, a security firm, highlighted that the hacker used a flash loan mechanism to withdraw money. The hacker, after borrowing large amounts of NFTs, used it to manipulate and profit from the arbitrage. Yajin Zhou, the CEO of BlockSec, tweeted that the attack on Omni Protocol was because of an old-school re-entrancy of ERC721 Received. The exploitation caused more than 1,300 ETH damage. However, it didn’t affect any client funds. PeckShield also outlined vulnerabilities in the smart contracts – showing that the hacker used NFTs to borrow ETH, which was turned into bad debt that didn’t require paying.
Omni, an NFT financialization protocol, is an NFT money market. It offers lending and borrowing services whereby users can lend NFTs and other ERC-20 tokens to earn interest on them. The crypto-assets can be used as collateral for borrowing more assets.