Ethereum PoW suffers first smart contract exploit

Ethereum PoW suffers first smart contract exploit

The proof-of-work (PoW) fork of the Ethereum blockchain may be off to a rocky start following a cross-chain contract exploit last week.

Over the weekend, news broke that ETHPoW, the post-Ethereum Merge PoW chain, had suffered an on-chain replay attack. Blockchain security firm BlokcSec first flagged the so-called “replay attack” on Sunday, revealing that the attackers replayed the call data of legitimate transactions on Ethereum’s proof-of-stake (PoS) blockchain on the forked PoW Ethereum chain.

A replay attack occurs when a valid data transmission is intercepted and then maliciously delayed or repeated. It can come either from the originator or an adversary who intercepts the data and re-transmits it.

In the ETHPoW incident, the attacker transferred 200 wrapped Ether (WETH) through the OmniBridge protocol of the Gnosis chain before replaying the same transaction message on the Ethereum PoW fork. As a result, the exploiter received 200 ETHW from the forked network’s copy of the OmniBridge smart contract.

BlockSec explained that the Omni cross-chain bridge on the ETHW chain was not correctly verifying the chainID of the cross-chain message. As a result, the attack was not a replay exploit on a chain level but rather due to a contract vulnerability. Notably, neither Gnosis nor the EthereumPoW was compromised. Instead, the OmniBridge smart contract mistakenly paid out funds.

The value of ETHW plummeted by about 40% as news of the exploit first broke, dropping from $8 to $5. As of press time, the price of the token had rebounded slightly and was trading at $6.11.

Ethereum transitioned to a PoS consensus model last Thursday, formally ditching crypto miners in favor of collateralized validators. However, some disgruntled participants of the network opted to support a PoW fork in the form of ETHPoW.

Read more