ETHW Replay Exploit Caused by Omni Contract Vulnerability

  • Over the weekend the Ethereum PoW network fell victim to a replay exploit, with the attacker executing the same transaction on two chains at the same time.
  • The exploit was caused by a contract vulnerability in the Omni cross-chain bridge, and did not affect the ETHW network itself.
hack

Shutterstock

The Ethereum Proof-of-Work (ETHW) network was the target of a cross-chain contract exploit only a day after the Merge was finalized, security company BlockSec said in a blog post on 18 September.

According to the company, the ETHW network — which was created as a fork of the Ethereum blockchain when it transitioned to a Proof-of-Stake (PoS) consensus mechanism — was the victim of a replay attack on 16 September. The exploiter was able to steal 200 ETHW tokens by replaying the call data from Ethereum’s PoS chain on the forked ETHW network. A replay exploit refers to when the same transaction is being executed on two chains when they are not supposed to.

After being notified about the exploit, the ETHW team quickly figured out that the attacker used the Omni cross-chain bridge on the Gnosis network to transfer 200 wETH tokens, and then replayed the same message on the PoW network, netting him an extra 200 ETHW tokens. The root cause of the problem came from Omni using an old chainID, and not correctly verifying the cross-chain message.

The team behind ETHW said they had reached out to the Omni bridge in “every way”, notifying them about the exploit. The PoW network was created after the Merge — which transitioned Ethereum from PoW to PoS — when a group of miners decided to continue the PoW network through a hard fork. The blockchain’s native token, ETHW, has fallen in price by more than 30% following the news of the exploit.

Discussion
Related Coverage
The Merge is Finalized, Ethereum Switches to Proof-of-Stake
  • Ethereum’s PoS upgrade, also known as the Merge, was executed at 06:44 AM UTC on 15 September, combining the existing blockchain with the parallel Beacon Chain.
  • The move has reduced Ethereum’s energy consumption by more than 99%, which is equal to 0.2% of the global electricity consumption.
September 15, 2022, 10:27 AM
Ethereum Founder and Inventor Vitalik Buterin

Ethereum founder and Vitalik Buterin during TechCrunch Disrupt SF, San Francisco, California, September 18, 2017.
Steve Jennings/Getty Images for TechCrunch

Coinbase Launches Wrapped Staked ETH Token
  • Called Coinbase Wrapped Staked ETH (cbETH), the new token will allow Coinbase customers to use their staked ETH while still earning rewards on the exchange.
  • cbETH will not track the price of ETH as it represents the stacked token plus all of its accumulated staking interest, which will cause a “divergence” in the price of the two assets.
Token Bridge Wormhole Exploited for $334M
  • Since the incident, the Wormhole team has claimed to have found a fix to the exploit, which has already been deployed, and that all funds were safe.
  • The token bridge has also contacted the hacker through his Ethereum address, offering him a $10 million bug bounty if he was willing to return the stolen funds.