ETHPoW, the proof-of-work blockchain forked from Ethereum that went live shortly after Ethereum’s transition to proof-of-stake (PoS) last week, has fallen victim to a replay exploit that resulted in an extra 200 ETHW tokens being siphoned by the attacker.
Blockchain security company BlockSec revealed the incident on Sunday, saying that the attack happened through the Omni Bridge on the Gnosis chain.
“On September 16th, 2022, we detected that some attackers successfully harvested lots of ETHW by replaying the message (i.e., the calldata) of the PoS chain on EthereumPoW (aka the PoW chain),” BlockSec wrote in a Medium post.
According to the security researchers, the attacker first transferred 200 WETH through the Omni Bridge and then replayed the same message on the PoW chain, getting an extra 200 ETHW.
“By doing so, the balance of the chain contract deployed on the PoW chain could be drained,” BlockSec said.
The firm detailed that “the root cause of the exploitation is that the Omni bridge on the PoW chain uses the old chainId and doesn’t correctly verify the actual chainId of the cross-chain message,” adding that similar issues may exist in other protocols.
The price of the ETHW token plummeted about 37% on the back of the news, hitting a fresh low of $4.22 earlier on Monday, according to CoinMarketCap. It currently trades at just over $5.
ETHPoW devs confirm exploit
The developers behind the ETHW protocol confirmed the incident; however, they insisted that the attack did not originate from the ETHW blockchain and only affected the Omni bridge, not the Ethereum PoW network itself.
“ETHW itself has enforced EIP-155, and there is no replay attack from ETHPoS and to ETHPoS, which ETHW Core’s security engineers have planned in advance,” the ETHW team said in a blog post.
The developers also said they have reached out to the Omni team to alert them of the exploit.
“We have contacted the bridge in every way and informed them of the risks,” the ETHW blockchain developers said, adding that “bridges need to correctly verify the actual ChainID of the cross-chain messages.”
Had tried every way to contact Omni Bridge yesterday.
Bridges need to correctly verify the actual ChainID of the cross-chain messages.
Again this is not a transaction replay on the chain level, it is a calldata replay due to the flaw of the specific contract. https://t.co/bHbYR4b2AW pic.twitter.com/NZDn61cslJ