BlockSec detects replay exploit with ETHPoW tokens

Quick Take

  • BlockSec alerted on Sunday to a replay exploit with ETHPoW tokens.
  • The attacker allegedly managed to get an extra 200 ETHW after transferring 200 wrapped ETH (WETH) through a bridge of the Gnosis chain.

The Ethereum proof-of-work blockchain suffered a replay exploit with the attacker getting an extra 200 ETHW tokens after replaying a message from the proof-of-stake chain on ETHPoW, according to a cybersecurity firm that alerted the issue on Sunday. 

"The exploiter (0x82fae) first transferred 200 WETH through the omni bridge of the Gnosis chain, and then replayed the same message on the PoW chain and got extra 200 ETHW," security company BlockSec said on Twitter. The attack happened because the bridge didn't correctly verify the chain ID of the cross-chain message, the company claimed. 

The ETHPoW blockchain developer team said that an attack exploited the contract vulnerability of the bridge, and not their blockchain itself. 

"ETHW itself has enforced EIP-155, and there is no replay attack from ETHPoS and to ETHPoS, which ETHW Core’s security engineers have planned in advance," the ETHW Core developers wrote in a Medium post.

The developer team also said that it had been trying to get in contact with Omni Bridge since Saturday to inform them of the risks. Omni Bridge did not immediately respond to a request for comment. 

"We have contacted the bridge in every way and informed them of the risks," it said. "Bridges need to correctly verify the actual ChainID of the cross-chain messages," they said.

The ETHPoW fork on the proof-of-work Ethereum blockchain went live this week after The Merge. The token has fallen over 35% following the news of the exploit Sunday morning, according to data from TradingView.


© 2023 The Block. All Rights Reserved. This article is provided for informational purposes only. It is not offered or intended to be used as legal, tax, investment, financial, or other advice.