The Ethereum Proof-of-Work (ETHW) network was the target of a cross-chain contract exploit only a day after the Merge was finalized, security company BlockSec said in a blog post on 18 September.
According to the company, the ETHW network — which was created as a fork of the Ethereum blockchain when it transitioned to a Proof-of-Stake (PoS) consensus mechanism — was the victim of a replay attack on 16 September. The exploiter was able to steal 200 ETHW tokens by replaying the call data from Ethereum’s PoS chain on the forked ETHW network. A replay exploit refers to when the same transaction is being executed on two chains when they are not supposed to.
After being notified about the exploit, the ETHW team quickly figured out that the attacker used the Omni cross-chain bridge on the Gnosis network to transfer 200 wETH tokens, and then replayed the same message on the PoW network, netting him an extra 200 ETHW tokens. The root cause of the problem came from Omni using an old chainID, and not correctly verifying the cross-chain message.
The team behind ETHW said they had reached out to the Omni bridge in “every way”, notifying them about the exploit. The PoW network was created after the Merge — which transitioned Ethereum from PoW to PoS — when a group of miners decided to continue the PoW network through a hard fork. The blockchain’s native token, ETHW, has fallen in price by more than 30% following the news of the exploit.