ETHPoW, the proof-of-work blockchain forked from Ethereum that went live shortly after Ethereum’s transition to proof-of-stake (PoS) last week, has fallen victim to a replay exploit that resulted in an extra 200 ETHW tokens being siphoned by the attacker.
Blockchain security company BlockSec revealed the incident on Sunday, saying that the attack happened through the Omni Bridge on the Gnosis chain.
“On September 16th, 2022, we detected that some attackers successfully harvested lots of ETHW by replaying the message (i.e., the calldata) of the PoS chain on EthereumPoW (aka the PoW chain),” BlockSec wrote in a Medium post.
According to the security researchers, the attacker first transferred 200 WETH through the Omni Bridge and then replayed the same message on the PoW chain, getting an extra 200 ETHW.
“By doing so, the balance of the chain contract deployed on the PoW chain could be drained,” BlockSec said.
The firm detailed that “the root cause of the exploitation is that the Omni bridge on the PoW chain uses the old chainId and doesn’t correctly verify the actual chainId of the cross-chain message,” adding that similar issues may exist in other protocols.
The price of the ETHW token plummeted about 37% on the back of the news, hitting a fresh low of $4.22 earlier on Monday, according to CoinMarketCap. It currently trades at just over $5.
The developers behind the ETHW protocol confirmed the incident; however, they insisted that the attack did not originate from the ETHW blockchain and only affected the Omni bridge, not the Ethereum PoW network itself.
"ETHW itself has enforced EIP-155, and there is no replay attack from ETHPoS and to ETHPoS, which ETHW Core’s security engineers have planned in advance," the ETHW team said in a blog post.
The developers also said they have reached out to the Omni team to alert them of the exploit.
"We have contacted the bridge in every way and informed them of the risks," the ETHW blockchain developers said, adding that "bridges need to correctly verify the actual ChainID of the cross-chain messages.”
Had tried every way to contact Omni Bridge yesterday.
Bridges need to correctly verify the actual ChainID of the cross-chain messages.
— EthereumPoW (ETHW) Official #ETHW #ETHPoW (@EthereumPoW) September 18, 2022
What is ETHPoW?
ETHPoW is a hard forkhard fork of Ethereum supported by a group of miners who declared their intention to preserve the PoW chain following the merge—the commonly used term for the network’s switch to PoS.
The chain was launched last week shortly after the merge occurred, however, it got off to a rather bumpy start as the network faced several technical issues, including a Chain ID issue.
It’s been awaited for half a decade, delayed for years, praised, condemned, tweaked, and so its developers say, perfected.
Ready or not, here comes Ethereum’s long-anticipated merge. But, given the technical feat that it is, is there any risk of something going terribly wrong?
The merge—Ethereum’s transition from a proof-of-work system to proof of stake—is set to occur between September 10 and September 20. During this historic upgrade to the second-largest cryptocurrency by market cap, upon wh...
Notably, the possibility of a replay attack if ETHPoW failed to change its network’s chain ID from that of the Ethereum mainnet was raised some weeks before the merge.
However, ETHPoW founder Chandler Guo insisted back then that those fears were overblown, and told Decrypt that the network would change all chain IDs on its blockchain to prevent such attacks.
Daily Debrief Newsletter
Start every day with the top news stories right now, plus original features, a podcast, videos and more.
Metaplanet Inc. plans to establish a wholly owned subsidiary in Florida, aiming to raise $250 million to further fuel its Bitcoin treasury strategy.
The Tokyo-listed investment firm, which crossed the 5,000 BTC threshold last week, will operate its new entity as Metaplanet Treasury Corp. to expand its access to U.S. institutional investors and bolster 24-hour operations across time zones.
"The reason for choosing Florida is clear: the state is rapidly emerging as a global hub for Bitcoin innovat...
Medical device company Semler Scientific purchased another 165 Bitcoin for $15.7 million between the dates of April 25-29, bolstering its Bitcoin treasury to 3,467 BTC.
The purchase marks the firm’s second major Bitcoin acquisition in the last week after it announced that it added 111 BTC for $10 million on April 25. As of Wednesday, Semler’s Bitcoin treasury is valued at more than $327 million.
“We bleed orange,” Semler Scientific Chairman Eric Semler posted on X (formerly known as Twitter), j...
Galaxy Digital Holdings plans to list on the Nasdaq Global Select Market next month, the firm said Wednesday in a statement, a byproduct of the pro crypto pivot of U.S. federal regulators and policymakers.
The listing, which is subject to shareholder approval, will tentatively go live on May 16, according to Galaxy Digital's statement. The company's Class A common stock will trade under the ticker GLXY.
In listing on the Global Select Market, Galaxy Digital aims to broaden its access to capital,...