ETHPoW, the proof-of-work blockchain forked from Ethereum that went live shortly after Ethereum’s transition to proof-of-stake (PoS) last week, has fallen victim to a replay exploit that resulted in an extra 200 ETHW tokens being siphoned by the attacker.
Blockchain security company BlockSec revealed the incident on Sunday, saying that the attack happened through the Omni Bridge on the Gnosis chain.
“On September 16th, 2022, we detected that some attackers successfully harvested lots of ETHW by replaying the message (i.e., the calldata) of the PoS chain on EthereumPoW (aka the PoW chain),” BlockSec wrote in a Medium post.
According to the security researchers, the attacker first transferred 200 WETH through the Omni Bridge and then replayed the same message on the PoW chain, getting an extra 200 ETHW.
“By doing so, the balance of the chain contract deployed on the PoW chain could be drained,” BlockSec said.
The firm detailed that “the root cause of the exploitation is that the Omni bridge on the PoW chain uses the old chainId and doesn’t correctly verify the actual chainId of the cross-chain message,” adding that similar issues may exist in other protocols.
The price of the ETHW token plummeted about 37% on the back of the news, hitting a fresh low of $4.22 earlier on Monday, according to CoinMarketCap. It currently trades at just over $5.
The developers behind the ETHW protocol confirmed the incident; however, they insisted that the attack did not originate from the ETHW blockchain and only affected the Omni bridge, not the Ethereum PoW network itself.
"ETHW itself has enforced EIP-155, and there is no replay attack from ETHPoS and to ETHPoS, which ETHW Core’s security engineers have planned in advance," the ETHW team said in a blog post.
The developers also said they have reached out to the Omni team to alert them of the exploit.
"We have contacted the bridge in every way and informed them of the risks," the ETHW blockchain developers said, adding that "bridges need to correctly verify the actual ChainID of the cross-chain messages.”
Had tried every way to contact Omni Bridge yesterday.
Bridges need to correctly verify the actual ChainID of the cross-chain messages.
— EthereumPoW (ETHW) Official #ETHW #ETHPoW (@EthereumPoW) September 18, 2022
What is ETHPoW?
ETHPoW is a hard forkhard fork of Ethereum supported by a group of miners who declared their intention to preserve the PoW chain following the merge—the commonly used term for the network’s switch to PoS.
The chain was launched last week shortly after the merge occurred, however, it got off to a rather bumpy start as the network faced several technical issues, including a Chain ID issue.
It’s been awaited for half a decade, delayed for years, praised, condemned, tweaked, and so its developers say, perfected.
Ready or not, here comes Ethereum’s long-anticipated merge. But, given the technical feat that it is, is there any risk of something going terribly wrong?
The merge—Ethereum’s transition from a proof-of-work system to proof of stake—is set to occur between September 10 and September 20. During this historic upgrade to the second-largest cryptocurrency by market cap, upon wh...
Notably, the possibility of a replay attack if ETHPoW failed to change its network’s chain ID from that of the Ethereum mainnet was raised some weeks before the merge.
However, ETHPoW founder Chandler Guo insisted back then that those fears were overblown, and told Decrypt that the network would change all chain IDs on its blockchain to prevent such attacks.
Daily Debrief Newsletter
Start every day with the top news stories right now, plus original features, a podcast, videos and more.
President Donald Trump and his business partners appear to be launching their own crypto wallet, one linked to his Solana-based meme coin and rolled out in partnership with major NFT marketplace Magic Eden.
A site where users can sign up for a waitlist to gain access to the wallet launched Tuesday. A Magic Eden spokesperson confirmed both the legitimacy of the site and the company’s partnership with Trump’s business partners to Decrypt. The site was first spotted by independent journalist Molly...
Coinbase was made aware in January of a customer data breach involving its third-party contractor TaskUs months before publicly disclosing the incident, Reuters reported Monday, citing six sources familiar with the matter.
According to five former TaskUs employees, the breach was traced to an India-based TaskUs support agent who had been photographing her work computer screen with a phone.
The employee and an alleged accomplice were suspected of selling Coinbase user information to hackers in e...
Strategy, formerly MicroStrategy, announced plans Monday to raise fresh capital by selling shares of preferred stock, with the proceeds earmarked for Bitcoin purchases and other operational expenses.
Operating as a "Bitcoin Treasury" company, Strategy is seeking $250 million through an initial public offering of 2.5 million shares of its "10% Series A Perpetual Stride Preferred Stock” (STRD).
The stock will be listed on the Nasdaq, with each share initially priced at $100, offering investors a...
