Ethereum PoW Fork Suffers its First Smart Contract Hack

Please fol­low and like us:
Pin Share

  • An attack­er has raid­ed ETHW from a smart con­tract on the Ethereum proof-of-work fork
  • Cyber­se­cu­ri­ty researchers warn sim­i­lar attacks could occur on oth­er ETHW smart contracts

ETH­PoW (ETHW), the fledg­ling proof-of-work (PoW) Ethereum fork, has seen its first sig­nif­i­cant smart con­tract hack since the net­work split late last week.

Blockchain secu­ri­ty infra­struc­ture firm Block­Sec first alert­ed users of a so-called ‘replay attack’ on Sun­day, which lever­aged legit­i­mate trans­ac­tions on the proof-of-stake (PoS) Ethereum blockchain along­side DeFi appli­ca­tion Gno­sis and mul­ti-token exten­sion OmniBridge.

Replay attacks and exploits can occur when cryp­tocur­ren­cies — in this case wrapped ether (WETH) and ETHW — are treat­ed as the same asset, even though they tech­ni­cal­ly exist on com­plete­ly sep­a­rate blockchains.

Ethereum tran­si­tioned its PoW-pow­ered con­sen­sus mod­el to PoS with a hard fork last Thurs­day. This for­mal­ly ditched cryp­to min­ers in favor of col­lat­er­al­ized val­ida­tors, who, rather than run pow­er-hun­gry GPU min­ers, stake cryp­to in the net­work for the right to process transactions.

In a bid to con­tin­ue min­ing, some Ethereum par­tic­i­pants opt­ed to sup­port a PoW fork in ETHW, a net­work which when deployed mir­rored every sin­gle Ethereum-bound asset, includ­ing ether, NFTs and smart con­tracts under­pin­ning pro­to­cols such as Gno­sis and OmniBridge.

Block­Sec told Block­works the attack was not a replay exploit “on the chain lev­el” but rather one result­ing from a con­tract vul­ner­a­bil­i­ty. This means nei­ther Gno­sis nor the Ethereum and ETHW net­works were hacked. Instead, the OmniB­ridge smart con­tract on the proof-of-work fork mis­tak­en­ly paid out funds.

First, the exploiter trans­ferred 200 wrapped ether (WETH), cur­rent­ly worth $260,000, through the Ethereum blockchain’s OmniB­ridge pro­to­col to the Gno­sis network. 

The hack con­sist­ed of replay­ing the same trans­ac­tion mes­sage on the Ethereum PoW fork to receive 200 ETHW from that network’s copy of the OmniB­ridge smart contract.

ETHW mar­kets tanked about 40% after word of the exploit first broke —- from $8 to $5. It’s unclear whether the attack­er cashed out the 200 ETHW stolen in the attack but it’s now worth about $1,000.

The attack was pos­si­ble due to the OmniB­ridge on the PoW chain still accept­ing trans­ac­tions that ref­er­ence the proof-of-stake Ethereum blockchain’s “chainID,” a vari­able that serves as a unique iden­ti­fi­er for dif­fer­ent blockchain net­works. The PoW fork uses a dif­fer­ent chainID to help sep­a­rate actions between the two networks.

“As a result, the bal­ance of the chain con­tract deployed on the PoW chain would be drained,” Block­Sec wrote. Secu­ri­ty researchers warned such attacks could occur on ETHW in the lead­up to the fork.

Gno­sis co-founder Mar­tin Kop­pel­mann lat­er tweet­ed to say that both Gno­sis and Ethereum were in “no way affected.” 

“We do not sup­port the (ETHW) chain and do not see us respon­si­ble for what is hap­pen­ing on that chain,” Kop­pel­mann said. He said the attack­er had spun up false bridge activ­i­ty to drain funds on ETHW.

A sug­ges­tion to deac­ti­vate the bridge’s links to ETHW, effec­tive­ly clos­ing this par­tic­u­lar secu­ri­ty loop­hole, will be put forth to the gov­er­nance team over­see­ing OmniB­ridge, he said. Block­Sec warned in a blog that sim­i­lar inci­dents could occur else­where across the ETHW network.

ETHW Core, the stew­ards of ETHW,  con­firmed Sun­day the attack involved a bridge con­tract vul­ner­a­bil­i­ty and had noti­fied OmniB­ridge “in every way” to inform them of the risks but had yet to receive a response.

Get the day’s top cryp­to news and insights deliv­ered to your inbox every evening. Sub­scribe to Block­works’ free newslet­ter now.

  • Sebas­t­ian Sinclair


    Senior Reporter, Asia News Desk

    Sebas­t­ian Sin­clair is a senior news reporter for Block­works oper­at­ing in South East Asia. He has expe­ri­ence cov­er­ing the cryp­to mar­ket as well as cer­tain devel­op­ments affect­ing the indus­try includ­ing reg­u­la­tion, busi­ness and M&As. He cur­rent­ly holds no cryptocurrencies. 

    Con­tact Sebas­t­ian via email at [email pro­tect­ed]
  • David Canel­lis



    David Canel­lis is an edi­tor and jour­nal­ist based in Ams­ter­dam who has cov­ered the cryp­to indus­try full time since 2018. He’s heav­i­ly focused on data-dri­ven report­ing to iden­ti­fy and map trends with­in the ecosys­tem, from bit­coin to DeFi, cryp­to stocks to NFTs and beyond. Con­tact David via email at [email pro­tect­ed]

Source link

Please fol­low and like us:
Pin Share

Leave a Reply

Your email address will not be published.