After one week of existence, the new blockchain Ethereum PoW (ETHW) has seen one of its applications suffer its first hack. The choice of the majority of the ecosystem to focus only on Ethereum (ETH) could then lead to Ethereum PoW applications dying a slow death.
First hack occurs on an Ethereum PoW application
Following the Ethereum Merge (ETH), a persistent chain called Ethereum PoW (ETHW) has remained, bringing together the few miners who wish to keep the proof-of-work consensus alive. With the majority of the ecosystem trusting the new Ethereum update, the viability of the PoW version is uncertain at best.
After a few days of existence, the first problems have started to appear. While the blockchain itself seems to be working as it should, this is not the case for all applications, especially OmniBridge. This platform allows communication with the Gnosis Chain and an error in the bridge’s smart contract allowed the attacker to execute actions on both the Ethereum blockchain and the PoW version.
This would be because OmniBridge uses the Ethereum Chain ID instead of the Ethereum PoW Chain ID on the proof-of-work chain. In simple terms, a Chain ID can be seen as the identity number of a blockchain. This malfunction allowed the attacker to dump the ETHWs on the Ethereum PoW OmniBridge smart contract.
The exploitation of the flaw
This hack was brought to light by BlockSec teams:
1/ Alert | BlockSec detected that exploiters are replaying the message (calldata) of the PoS chain on @EthereumPow The root cause of the exploitation is that the bridge doesn’t correctly verify the actual chainid (which is maintained by itself) of the cross-chain message.
– BlockSec (@BlockSecTeam) September 18, 2022
The attacker initially deposited ETH into the OmniBridge smart contract on the Ethereum blockchain. He then withdrew them. In parallel, the Chain ID issue on OmniBridge of Ethereum PoW allowed the attacker to use a command, to receive an equivalent amount of ETHW on this network.
Normally, a series of updates to Ethereum, known as the Ethereum Improvement Proposal (EIP), would have prevented this type of attack. But the OmniBridge code is said to use an old version of the Solidity language. The hard fork that led to the birth of Ethereum PoW would have allowed these flaws to be revealed.
The loot from the operation is not significant in itself, but analysis of the attacker’s transactions shows that he sent 741 ETHW back to the MEXC exchange platform. This brings the amount at the time of the incident to a value of $8-10,000 at most.
However, it is likely that similar problems are present in other applications and would allow other attackers to recover ETHW and sell them on centralized platforms.
Interacting with Ethereum PoW
For those who had ETH on the Ethereum network at the time of the Merge, they collected an equivalent amount of ETHW on Ethereum PoW. The teams of the new network have indicated the information to be filled in to configure its wallet, to use it:
ETHW Mainnet Info
Network Name: ETHW-mainnet
New RPC URL: https://t.co/MQ04pnPQyW
Chain ID: 10001
Currency Symbol: ETHW
Block Explorer URL(Optional): https://t.co/J3JllmQA8I– EthereumPoW (ETHW) Official ETHPoW (@EthereumPoW) September 15, 2022
According to CoinGecko, the following platforms have already listed ETHW:
- OKX ;
- Digifinex;
- FTX ;
- Bitfinex ;
- MEXC Global.
However, we would like to remind you to be vigilant about scam attempts on this occasion
