#Flashloan
On July 10, @OMNI_xyz OMNI protocol suffered a reentrancy attack. The hacker made a profit of ~496 $ETH and deposited into Tornado.cash.
We take one of the attack Txs (0x05d65e0adddc5d9ccfe6cd65be4a7899ebcb6e5ec7a39787971bcc3d6ba73996) as an example:
2/ The attacker first borrowed 1,000 $WETH and 20 #Doodles via flashloan and staked NFTs with ids 720, 5251 and 7425, obtained the corresponding digital receipts and then borrowed 12.15 WETH.
3/ Then call the withdrawERC721 function to withdraw the NFTs with ids 720 and 5251. This will call Ntoken contract’s burn function, which internally calls the safeTransferFrom function to send the NFTs to the attack contract and calls back the onERC721Received function.
4/ In the onERC721Received function, the victim's liquidationERC721 function is re-entered to liquidate the NFT with id 7425. During liquidation, the _burnCollateralNTokens function is called to burn the digital receipts of the attack contract and repay the staked NFT.
5/ So the safeTransferFrom function is called again to trigger the onERC721Received function of the attack contract. The attacker again used callback to stake all borrowed 20 NFTs from flashloan and borrowed 81 $WETH.
6/ Finally the hacker returned to the liquidationERC721 function and set the borrowing status to false, and successfully withdrew all staked NFTs.
Share this Scrolly Tale with your friends.
A Scrolly Tale is a new way to read Twitter threads with a more visually immersive experience.
Discover more beautiful Scrolly Tales like this.