The Omni protocol was exploited on July 10, 2022, resulting in a $1.4 million loss due to a reentrancy vulnerability in its smart contracts. The attacker deposited Doodles NFTs into Omni's pool, leveraged reentrancy in two vulnerable functions, and manipulated collateral tracking to withdraw funds illegitimately. The core issue lay in the lack of reentrancy locks and failure to follow the checks-effects-interactions pattern, especially during ERC721 token transfers using safeTransferFrom. The exploit involved flashloans, malicious contracts, and intricate interactions to bypass collateral verification and double-dip withdrawals. This attack highlights the importance of securing interactions between NFT platforms and ensuring proper safeguards like reentrancy locks and robust collateral tracking.
Reference: https://medium.com/immunefi/hack-analysis-omni-protocol-july-2022-2d35091a0109