- An attacker has raided ETHW from a wise contract on the Ethereum proof-of-work fork
- Cybersecurity researchers warn comparable assaults may happen on different ETHW sensible contracts
ETHPoW (ETHW), the fledgling proof-of-work (PoW) Ethereum fork, has seen its first important sensible contract hack because the community cut up late final week.
Blockchain safety infrastructure agency BlockSec first alerted customers of a so-called ‘replay assault’ on Sunday, which leveraged respectable transactions on the proof-of-stake (PoS) Ethereum blockchain alongside DeFi utility Gnosis and multi-token extension OmniBridge.
Replay assaults and exploits can happen when cryptocurrencies — on this case wrapped ether (WETH) and ETHW — are handled as the identical asset, although they technically exist on utterly separate blockchains.
Ethereum transitioned its PoW-powered consensus mannequin to PoS with a tough fork final Thursday. This formally ditched crypto miners in favor of collateralized validators, who, reasonably than run power-hungry GPU miners, stake crypto within the community for the proper to course of transactions.
In a bid to proceed mining, some Ethereum participants opted to assist a PoW fork in ETHW, a community which when deployed mirrored each single Ethereum-bound asset, together with ether, NFTs and sensible contracts underpinning protocols comparable to Gnosis and OmniBridge.
BlockSec instructed Blockworks the assault was not a replay exploit “on the chain stage” however reasonably one ensuing from a contract vulnerability. This implies neither Gnosis nor the Ethereum and ETHW networks have been hacked. As a substitute, the OmniBridge sensible contract on the proof-of-work fork mistakenly paid out funds.
First, the exploiter transferred 200 wrapped ether (WETH), at present price $260,000, by the Ethereum blockchain’s OmniBridge protocol to the Gnosis community.
The hack consisted of replaying the identical transaction message on the Ethereum PoW fork to obtain 200 ETHW from that community’s copy of the OmniBridge sensible contract.
ETHW markets tanked about 40% after phrase of the exploit first broke — from $8 to $5. It’s unclear whether or not the attacker cashed out the 200 ETHW stolen within the assault but it surely’s now price about $1,000.
The assault was potential as a result of OmniBridge on the PoW chain nonetheless accepting transactions that reference the proof-of-stake Ethereum blockchain’s “chainID,” a variable that serves as a novel identifier for various blockchain networks. The PoW fork makes use of a special chainID to assist separate actions between the 2 networks.
“Because of this, the steadiness of the chain contract deployed on the PoW chain could be drained,” BlockSec wrote. Safety researchers warned such attacks may happen on ETHW within the leadup to the fork.
Gnosis co-founder Martin Koppelmann later tweeted to say that each Gnosis and Ethereum have been in “no method affected.”
“We don’t assist the (ETHW) chain and don’t see us accountable for what is going on on that chain,” Koppelmann stated. He stated the attacker had spun up false bridge exercise to empty funds on ETHW.
A suggestion to deactivate the bridge’s hyperlinks to ETHW, successfully closing this explicit safety loophole, will likely be put forth to the governance staff overseeing OmniBridge, he stated. BlockSec warned in a weblog that comparable incidents may happen elsewhere throughout the ETHW community.
ETHW Core, the stewards of ETHW, confirmed Sunday the assault concerned a bridge contract vulnerability and had notified OmniBridge “in every way” to tell them of the dangers however had but to obtain a response.
Get the day’s prime crypto information and insights delivered to your inbox each night. Subscribe to Blockworks’ free newsletter now.
