ETHPoW, the proof-of-work blockchain forked from Ethereum that went live shortly after Ethereum’s transition to proof-of-stake (PoS) last week, has fallen victim to a replay exploit that resulted in an extra 200 ETHW tokens being siphoned by the attacker.
Blockchain security company BlockSec revealed the incident on Sunday, saying that the attack happened through the Omni Bridge on the Gnosis chain.
“On September 16th, 2022, we detected that some attackers successfully harvested lots of ETHW by replaying the message (i.e., the calldata) of the PoS chain on EthereumPoW (aka the PoW chain),” BlockSec wrote in a Medium post.
According to the security researchers, the attacker first transferred 200 WETH through the Omni Bridge and then replayed the same message on the PoW chain, getting an extra 200 ETHW.
“By doing so, the balance of the chain contract deployed on the PoW chain could be drained,” BlockSec said.
The firm detailed that “the root cause of the exploitation is that the Omni bridge on the PoW chain uses the old chainId and doesn’t correctly verify the actual chainId of the cross-chain message,” adding that similar issues may exist in other protocols.
The price of the ETHW token plummeted about 37% on the back of the news, hitting a fresh low of $4.22 earlier on Monday, according to CoinMarketCap. It currently trades at just over $5.
The developers behind the ETHW protocol confirmed the incident; however, they insisted that the attack did not originate from the ETHW blockchain and only affected the Omni bridge, not the Ethereum PoW network itself.
"ETHW itself has enforced EIP-155, and there is no replay attack from ETHPoS and to ETHPoS, which ETHW Core’s security engineers have planned in advance," the ETHW team said in a blog post.
The developers also said they have reached out to the Omni team to alert them of the exploit.
"We have contacted the bridge in every way and informed them of the risks," the ETHW blockchain developers said, adding that "bridges need to correctly verify the actual ChainID of the cross-chain messages.”
Had tried every way to contact Omni Bridge yesterday.
Bridges need to correctly verify the actual ChainID of the cross-chain messages.
— EthereumPoW (ETHW) Official #ETHW #ETHPoW (@EthereumPoW) September 18, 2022
What is ETHPoW?
ETHPoW is a hard forkhard fork of Ethereum supported by a group of miners who declared their intention to preserve the PoW chain following the merge—the commonly used term for the network’s switch to PoS.
The chain was launched last week shortly after the merge occurred, however, it got off to a rather bumpy start as the network faced several technical issues, including a Chain ID issue.
It’s been awaited for half a decade, delayed for years, praised, condemned, tweaked, and so its developers say, perfected.
Ready or not, here comes Ethereum’s long-anticipated merge. But, given the technical feat that it is, is there any risk of something going terribly wrong?
The merge—Ethereum’s transition from a proof-of-work system to proof of stake—is set to occur between September 10 and September 20. During this historic upgrade to the second-largest cryptocurrency by market cap, upon wh...
Notably, the possibility of a replay attack if ETHPoW failed to change its network’s chain ID from that of the Ethereum mainnet was raised some weeks before the merge.
However, ETHPoW founder Chandler Guo insisted back then that those fears were overblown, and told Decrypt that the network would change all chain IDs on its blockchain to prevent such attacks.
Daily Debrief Newsletter
Start every day with the top news stories right now, plus original features, a podcast, videos and more.
Tim Stokely, the founder of OnlyFans, has teamed up with the HBAR Foundation to submit a late-stage bid to acquire TikTok, as the social media giant stares down a U.S. deadline to divest or disappear.
The bid was submitted by Stokely’s new venture, Zoop, and the HBAR Foundation, which manages the treasury of the Hedera blockchain, to put forward an offer for TikTok’s U.S. operations, according to Reuters.
The move positions the pair among a growing crowd of bidders vying for control of the wild...
U.S. Senator Ted Cruz (R-TX) has introduced a new bill aiming to turn waste energy into electricity for Bitcoin mining.
The Facilitate Lower Atmospheric Released Emissions (FLARE) Act, introduced on March 31, is geared towards making waste energy productive by capturing gas that would otherwise be flared or vented. The plan is to incentivise this capture by offering full expensing for property used to capture that gas.
My legislation, the FLARE Act, incentivizes entrepreneurs and crypto miners...
Shoppers in Singapore can now use crypto to pay for gadgets on the Sony Store Online.
In a statement on Tuesday, Sony Electronics Singapore said it has enabled USDC payments through crypto exchange Crypto.com’s payment service, marking the company’s first local move into direct crypto transactions.
The feature allows customers to check out using USDC, a stablecoin pegged to the U.S. dollar. It’s currently exclusive to the Sony Store Online and available only via Crypto.com’s payment system.
Wi...
