Embattled Ethereum fork ETHPoW had a difficult birth. Shunned by many major exchanges, written off by Vitalik and tanking after a brief high, things looked like they couldn’t get much worse. That was before attackers found a way to exploit Omni Bridge and syphon away the newly forked token.
Source: Twitter
A simple but lucrative exploit
Blockchain security specialists BlockSec were the first to notice that something was wrong. On September 16th their analysts realised that attackers were harvesting large quantities of ETHPoW by “replaying the message (i.e., the calldata) of the PoS chain on EthereumPoW (aka the PoW chain).” This was happening because Omni Bridge was using an out-of-date ChainID.
The exploit allowed an attacker to transfer 200 WETH via Omni Bridge and then replay the same message on the PoW chain. This gave them an additional 200 ETHW. BlockSec notified the ETHPoW team, who frantically reached out to Omni Bridge to get the exploit fixed. When they were unable to do this, and attacks continued to happen, BlockSec felt the need to go public on September 18th. You can read a full and more detailed account here.
The exploit was fairly simple in its execution.
Ominously, the BlockSec analysis suggests that the same vulnerability might exist elsewhere too, potentially opening the way for further exploits. The team behind ETHPoW took to Twitter, thanking BlockSec for their work and confirming the exploit. They were quick to defend the forked blockchain, however, noting that this is a problem specific to Omni Bridge. ETHW’s price subsequently crashed by 37%.
The risks of forks and upgrades
More than anything, the exploit shows the risks associated with forks and blockchain updates. The team behind ETHW tweeted that they tried “every way” to contact Omni Bridge and warned that other bridges need to “correctly verify the actual ChainID of the cross-chain messages.” Forks like this are fraught with potential pitfalls. BlocSec notes that the ETHW team acted quickly and proactively to the threat, but without an immediate response from Omni Bridge, there was little they could do apart from issuing a warning.
Source: Twitter
Ethereum and everything associated with it has taken a battering post Merge. It dropped by over 25% in the immediate aftermath, ETC (which many thought would profit from the miner exodus) tanked too, having risen by over 250% in the days preceding the Merge. The worst was reserved for ETHPoW. It wrote off 80% of its previous value, with some commentators suggesting that obsolesce is around the corner.
Just how long ETHPoW will endure and what its ultimate fate will be remains uncertain. Even ETHW’s founder admitted that there was a “90% chance” it will fail.” Miners will be picking over the bones of The Merge for months, but this exploit further undermines the credibility of a blockchain that very few people ever fully supported.
Sources
https://twitter.com/BlockSecTeam/status/1571433997460459521
https://twitter.com/EthereumPoW/status/1571445910290468864
https://blocksecteam.medium.com/reveal-the-message-replay-attacks-on-ethereumpow-64e4feee991c
