Share this page!

SlowMist Profile picture
Twitter logo
Jul 11 11 tweets 2 min read
🚨Brief Analysis of @OMNI_xyz Protocol Exploit🚨

On July 10, 2022, OMNI Protocol was the victim of a flash loan attack. We investigated this incident and these are our findings.
1/ The attacker used #doodle NFTs as collateral through the supplyERC721 function, providing them with the corresponding NToken. They then call the borrow function to borrow WETH.
2/(1) Use withdrawERC721 to withdraw the NFT, and follow up with the internal function executeWithdrawERC721 to find that the withdrawal will first burn the NToken through the burn function.
2/(2) The safeTransferFrom function in the burn function will call the OnERC721Received function of the receiving address externally. The attacker uses this to re-enter the liquidationERC721 function of the contract.
3/(1) In the liquidationERC721 function, the attacker first repaid WETH and received the doodle nft back. After checking, the _burnCollateralNTokens function will be called to burn the corresponding NToken.
3/(2) Then the attacker used the nature of the external call of the burn function to perform the reentrancy operation again. First, he staked the nft obtained by liquidation, and then called the borrow function to borrow 81 WETH.
3/(3) Because the vars variable is defined in the liquidationERC721 function, the second borrowing will not be affected when checking liabilities in the liquidationERC721. Leading the attacker to use userConfig.setBorrowing function and set the user's borrowing status to false.
4/ The userConfig.isBorrowingAny() function will first check the status of a user's borrowing. If it is false, the debt will not be checked. Therefore, the debt of 81 WETH after re-entry is not checked, allowing the attacker to withdraw all NFT profits without repaying.
5/(1) The root cause of this incident is that the burn function calls the OnERC721Received function externally, which caused the reentrancy problems.
5/(2) The value of the old vars is used for the liquidation function, resulting in the status of the user’s borrowing to be set as an unborrowed state. Despite the reentrancy, the status of the user’s borrowing was set to false, so no repayment was required.
6/ The SlowMist security team recommends the use of reentrancy locks in critical coding functions to prevent reentrancy issues in the future.

TX ID: etherscan.io/tx/0x05d65e0ad…

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with SlowMist

SlowMist Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @SlowMist_Team

SlowMist Profile picture
Jul 9
Here’s some on 𝙎cams, 𝙀xploits, & 𝙍ugs that happened this week.

1. British Army Social Media Hack
2. @Crema_Finance Incident
3. New scam techniques

It’s a good thing when there isn’t much to report on events like this. 😅

Details 👇
Date: July 3
Event: British Army's Social Media hack

The British Army's Twitter and YouTube accounts were hacked to promote crypto scams. Scammers are now targeting accounts with a large following to make their scams appear more legitimate.

Source:
Date: July 3
Event: @Crema_Finance Flashloan Attack

Crema Finance suffered from a flashloan attack, leading to losses over $8M. After a lengthy negotiation, the hacker received 45,455 SOL as white hat bounty and returned the remaining funds.

Source:
Read 5 tweets
SlowMist Profile picture
Aug 10, 2021
1)The cross-chain interoperability protocol @PolyNetwork2 was attacked, and a total of more than 610 million US dollars were transferred to 3 addresses. The impact caused the transfer of large assets of the O3 Swap cross-chain pool.
2)The SlowMist security team has grasped the attacker's mailbox, IP, and device fingerprints through on-chain and off-chain tracking, and is tracking possible identity clues related to the Poly Network attacker.
3)With the technical support of SlowMist’s partner Hoo and multiple exchanges, we found that the hacker’s initial source of funds was Monero (XMR), which was then exchanged to BNB / ETH / MATIC on the exchanges.
Read 6 tweets
SlowMist Profile picture
Feb 19, 2020
1/ Speculations for IOTA user Trinity wallet coin stolen attack

Due to the recent coin theft of many users' Trinity wallets, IOTA has suspended the mainnet coordinator for ceasing the attack, investigating, and repairing specific problems. @evilcos @iotatoken
2/ This is a classic attack that is underestimated. The official claims did not disclose specific details of the attack, but through our analysis, we can make some important speculations. First of all, a few points can be made clear:
3/ 1st, It's not a problem of the IOTA blockchain protocol; it's a problem of IOTA's Trinity desktop wallet (from official claims, believe it first).
Read 9 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us on Twitter!

:(