Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

Omni is an NFT money market on Ethereum. It allowed for borrowing and lending via NFTs. For instance, a user could borrow an ERC20 asset for the NFT put up as collateral. This makes the NFT more liquid, since it can be borrowed against.

The function executeWithdrawERC721 will run once a user wants to remove their NFT collateral from the market. When it does this, it uses the onERC721Received if it's a contract that implements the interface.

When allowing code to be executed as a callback, two things need to be done: use the checks-effects-interaction pattern and include reentrancy locks. If these are not done, then major havoc can ensue.

The function executeWithdrawERC721 has a snippet of code that informs the market that the address no longer has deposited collateral in the contract. Prior to this variable being changed, we can escape the contract and borrow! When the code finishes, our collateral will be taken out, allowing us to steal funds from the contract.

A similar vulnerability occurs by using the executeERC721LiquidationCall hook with the burn function. The attacker actually abused both of the vulnerabilities to perform the reentrancy bug twice.

The rest of the post contains a great proof of concept with step by step details on how to exploit the bug. Overall, interesting vulnerability and interesting exploit!