It has emerged that the Ethereum Proof-of-Work (ETHPoW) network on Sunday suffered what was thought to be a replay attack after exploiters replayed calldata from the Proof-of-Stake (PoS) chain onto the PoW network.
Attackers Steal 200 Wrapped Ethereum
The attack was first noticed by blockchain security infrastructure provider, BlockSec, who tweeted an alert informing members of the ETHPoW community about it.
In the tweet, BlockSec claimed the exploitation resulted from the omnibridge multi-token extension of the Gnosis chain not correctly verifying the ChainID of cross-chain messages.
According to BlockSec, the exploiters initially transferred 200 Wrapped Ethereum (wETH) via the Gnosis chain omnibridge and then replayed the same transaction on the PoW network to get an additional 200 wETH. The exploit drained the balance of the contract deployed on Ethereum PoW.
BlockSec said it had notified ETHPoW about the issue and warned that other protocols might be susceptible to the same exploitation.
Replay Attack is Not at Chain Level, According to ETHPoW
While acknowledging the exploit, ETHPoW provided raw data showing the two transactions were completely different, therefore ruling out a transaction replay on the chain level. It instead claimed that the exploit was a calldata replay caused by vulnerabilities in the specific bridge smart contract.
ETHPoW also stated that it had tried reaching out to the bridge in question to inform them of the vulnerability. The blockchain further insisted that bridges must correctly verify the actual ChainID of cross-chain messages before executing transactions.
ETHPoW reiterated that it had already enforced EIP-155 to curb replay attacks from and to the Ethereum PoS chain.
Blockchain Experiencing Teething Problems
The ETHPoW blockchain, which was forked from the Ethereum Merge, went live on Thursday last week. Since then, it has recorded nearly 2 billion transactions. Additionally, the blockchain’s native token, ETHW, is now held in more than 250 million wallets and is supported by more than 10 crypto exchanges, including FTX, BitMart, and ByBit.
A growing number of projects, including DeFiEdge, Uniswap, and MetaMask, also support the PoW network.
However, the blockchain has also been bogged down by technical issues that have affected the value of ETHW. Just a day after the launch, ETHW lost 65% of its price. At one point, the token was selling for as low as $9.50, down from a high of $51.35.
The technical issues were mostly related to the blockchain’s ChainID, which helps users identify one network from another. After The Merge, ETHPoW needed a new ChainID to differentiate itself from the original Ethereum network and prevent duplicate transactions.
However, it soon became apparent that ETHPoW’s ChainID was the same as that of Smart Bitcoin Cash (BCHT). As soon as the ETHPoW team became aware of the issue, they quickly adjusted the network’s ChainID. But this was not before several miners reportedly left the blockchain, causing its hash rate to fall to about 66.64 TH/s from an earlier peak of 80.56 TH/s.