OMNI, an NFT Protocol, Lost 1300ETH in a Reentrancy Attack

2022-07-25, 08:08

TL: DR
- The NFT protocol OMNI experienced a breach, and 1,300 ETH in internal testing funds were stolen.
- The attacker used a reentrancy attack which is a method used to take advantage of flaws in smart contracts.
- The NFT space remains a popular target for bad actors who seek out opportunities to compromise systems and steal money wherever they can.

Keywords: OMNI, NFT, Reentrancy, hack, protocol, testing fund.

On July 10, 2022, NFT protocol OMNI experienced a breach, losing 1,300 ETH in testing funds. According to the NFT money market, no users' funds were affected. The OMNI team explained further that the Protocol was still in the beta phase while it had been suspended. It added that it is currently investigating the cause of the attack. However, the blockchain security firm, PeckShield later said it seemed to be a reentrancy-related attack. The OMNI team is yet to make a full review and postmortem of the attack.


Several attacks have occurred in the DeFi and NFT space, with bad actors stealing hundreds of millions of dollars.

OMNI is an NFT money market that provides lending and borrowing services. Users can earn interest by lending NFTs and other ERC-20 tokens. The assets can also be used as collateral for loans.

Several attacks have occurred in the DeFi and NFT space, with bad actors stealing hundreds of millions of dollars.

OMNI is an NFT money market that provides lending and borrowing services. Users can earn interest by lending NFTs and other ERC-20 tokens. The assets can also be used as loan collateral.


NFT and Cyber Attack


Despite slowing sales, the NFT market remains one of the most active segments in the cryptocurrency industry. As a result, it ranks as a top target for hackers, who seek opportunities to compromise systems and steal money wherever possible.

Such occurrences have occurred numerous times this year. XCarnival, an NFT lending pool, lost around $4 million due to an attack, despite the hacker receiving a 1,500 ETH reward. Multiple phishing attempts were also launched against the Bored Ape Yacht Club, targeting Discord and other social media platforms.

The most notable incident in this area was the Ronin Bridge hack, which resulted in more than $600 million in theft. Analysts believe North Korean hackers were behind the incident. However, due to the recent market decline, the value of North Korea's stolen cryptocurrency has dropped significantly.


What is a Reentrancy Attack?


Reentrancy is a term that has been used in computing for many years to describe the process by which a process can be interrupted in the middle of execution, a different occurrence of the same function can begin, and both processes can finish to completion. Every day, we use reentrant functions to compute safely. One good example is the ability to start an email draft on a server, exit it to send another email, and then return to the draft to finish and send it.

Consider a poorly designed online banking system for issuing wire transfers, in which the account balance is only checked during the initialization stage. A user can start several transfers without sending any of them. The banking system will confirm that the user's account has sufficient funds for each transfer. If no additional verification was performed at the time of the actual send, the user could potentially send all transactions and exceed their balance.


Examples of some Notorious Reentrancy Attack


DAO Hack

The most well-known example of a reentrancy attack occurred in 2016 when Ethereum's DAO (decentralized autonomous organization) was hacked for $60 million in Ether. For those unfamiliar, Ethereum's DAO was a project designed to function as an investor-directed venture capital firm in which network members could vote on initiatives to invest in.

The DAO raised an incredible $150 million in one of the most successful crowdfunding projects in history. However, computer scientists and others in the community were concerned that the smart contract holding the funds was vulnerable to a reentrancy attack due to a recursive call bug in the code.

The DAO hack has since become a watershed moment in blockchain history, not least because it triggered an Ethereum hard fork to reclaim the funds, giving birth to Ethereum Classic in the process. It is also a real learning experience for blockchain security, with reentrancy vulnerabilities being a standard check-in for any professional, smart contract audit.

Lendf.me Protocol
A hacker used a reentrancy attack on April 18, 2020, to steal $25 million from the Lendf.me Protocol, a crypto-based finance protocol designed to support lending operations on the Ethereum platform. The attacker exploited a flaw in the Lendf.me platform that allowed ERC777 tokens—an Ethereum token standard for more complex interactions when trading tokens—to be used as collateral. The developers failed to notice that ERC777 tokens include a callback function that alerts users when money is sent or received. Hackers could exploit this otherwise secure token standard with sophisticated reentrancy attacks by having the recipient as a smart contract, draining the Lendf.me platform of 99.5 percent of its funds.


Possible Ways to Prevent Reentrancy Attacks


First, you need a third-party smart contract audit performed on your project. This step is one of the most effective. Also, developers looking to defend against reentrancy attacks should pay close attention to the structure of their code, especially around any smart contract that contains callback functions. Often, if a smart contract audit identifies a project as vulnerable to a reentrancy attack, they would advise the code to be restructured to update the balances before the funds are sent. Otherwise, they may suggest using a different function for funds transfer.

Developers in the NFT space and the blockchain industry have to up their game in terms of security and never take a chance on the structure of their code, which can push an entire project down the drain. OMNI was lucky this time. The hacker only stole internal test funds and not valuable assets this time.







Author: Gate.io Observer: M. Olatunji
Disclaimer:
* This article represents only the views of the observers and does not constitute any investment suggestions.
*Gate.io reserves all rights to this article. Reposting of the article will be permitted provided Gate.io is referenced. In all other cases, legal action will be taken due to copyright infringement.
Поділіться
gate logo
Credit Ranking
Complete Gate Post tasks to upgrade your rank