ETHW confirms contract vulnerability exploit, dismisses replay attack claims

Published at: Sept. 19, 2022

Post-Ethereum Merge proof-of-work (PoW) chain ETHW has moved to quell claims that it had suffered an on-chain replay attack over the weekend.

Smart contract auditing firm BlockSec flagged what it described as a replay attack that took place on Sept. 16, in which attackers harvested ETHW tokens by replaying the call data of Ethereum’s proof-of-stake (PoS) chain on the forked Ethereum PoW chain.

According to BlockSec, the root cause of the exploit was due to the fact that the Omni cross-chain bridge on the ETHW chain used old chainID and was not correctly verifying the correct chainId of the cross-chain message.

Ethereum’s Mainnet and test networks use two identifiers for different uses, namely, a network ID and a chain ID (chainID). Peer-to-peer messages between nodes make use of network ID, while transaction signatures make use of chainID. EIP-155 introduced chainID as a means to prevent replay attacks between the ETH and ETC blockchains.

1/ Alert | BlockSec detected that exploiters are replaying the message (calldata) of the PoS chain on @EthereumPow. The root cause of the exploitation is that the bridge doesn't correctly verify the actual chainid (which is maintained by itself) of the cross-chain message.

— BlockSec (@BlockSecTeam) September 18, 2022

BlockSec was the first analytics service to flag the replay attack and notified ETHW, which in turn quickly rebuffed initial claims that a replay attack had been carried out on-chain. ETHW made attempts to notify Omni Bridge of the exploit at the contract level:

Had tried every way to contact Omni Bridge yesterday.Bridges need to correctly verify the actual ChainID of the cross-chain messages.Again this is not a transaction replay on the chain level, it is a calldata replay due to the flaw of the specific contract. https://t.co/bHbYR4b2AW pic.twitter.com/NZDn61cslJ

— EthereumPoW (ETHW) Official #ETHW #ETHPoW (@EthereumPoW) September 18, 2022

Analysis of the attack revealed that the exploiter started by transferring 200 WETH through the Omni bridge of the Gnosis chain before replaying the same message on the PoW chain, netting an extra 200ETHW. This resulted in the balance of the chain contract deployed on the PoW chain being drained.

Related: Cross-chains in the crosshairs: Hacks call for better defense mechanisms

BlockSec’s analysis of the Omni bridge source code showed that the logic to verify chainId was present, but the verified chainID used in the contract was pulled from a value stored in the storage named unitStorage.

The team explained that this was not the correct chainId collected through the CHAINID opcode, which was proposed by EIP-1344 and exacerbated by the resulting fork after the Ethereum Merge:

“This is probably due to the fact that the code is quite old (using Solidity 0.4.24). The code works fine all the time until the fork of the PoW chain.”

This allowed attackers to harvest ETHW and potentially other tokens owned by the bridge on the PoW chain and go on to trade these on marketplaces listing the relevant tokens. Cointelegraph has reached out BlockSec to ascertain the value extracted during the exploit.

Following Ethereum's successful Merge event which saw the smart contract blockchain transition from PoW to PoS, a group of miners decided to continue the PoW chain through a hard fork. 

Tags
Related Posts
Solana and Arbitrum knocked offline, while Ethereum evades attack
Surging Ethereum rival, Solana (SOL), has shed 15% of its value over the past 24 hours after suffering a denial-of-service disruption. On Tuesday at 12:38 pm UTC, Twitter account Solana Status announced that Solana’s mainnet beta had been suffering intermittent instability over a 45-minute period. Six hours after announcing the incident, Solana Status explained that a large increase in transaction load to 400,000 per second had overwhelmed the network, created a denial-of-service, and caused the network to start forking. 1/ Solana Mainnet Beta encountered a large increase in transaction load which peaked at 400,000 TPS. These transactions flooded the transaction …
Technology / Sept. 15, 2021
Crypto.com finally speaks out: 483 user accounts compromised
The Crypto.com security breach saga gets clarity with an official statement from the Singapore-based crypto exchange following a halt on withdrawals after detecting "suspicious activities" in user accounts. In a statement today, Crypto.com revealed that "4,836.26 ETH, 443.93 BTC and approximately US$66,200 in other currencies" had been taken from clients' accounts without their permission. The overall loss is presently valued at around $33.8 million, as per the current market value. Following a security breach, several Crypto.com users have made complaints that their money had been stolen. However, the company's previous responses had failed to quell concerns. Following the 17th of …
Bitcoin / Jan. 20, 2022
Jump Crypto replenishes funds from $320M Wormhole hack in largest-ever DeFi 'bailout'
On Thursday, Jump Crypto, a crypto venture capital firm that owns Certus One, the developer of the Wormhole token bridge, announced it had deposited 120 thousand Ether (ETH) into a Solana-Ethereum bridge that suffered a devastating exploit. The day prior, hackers fraudulently minted 120 thousand wrapped Ether (wETH) worth $321 million on the Solana (SOL) platform, then redeemed 93,750 wETH for ETH on the Ethereum network while swapping the rest for other altcoins on the Solana network. The cross-chain ETH-wETH is supposed to have an exchange ratio of 1:1 against one another. Therefore, unauthorized minting of wETH leads to significant …
Technology / Feb. 3, 2022
Transit Swap loses over $21M due to internal bug hack, issues apology
Transit Swap, a multi-chain decentralized exchange (DEX) aggregator, lost roughly $21 million after a hacker exploited an internal bug on a swap contract. Following the revelation, Transit Swap issued an apology to the users while efforts to track down and recover the stolen funds are underway. “We are deeply sorry,” stated Transit Swap while revealing that a bug in the code allowed a hacker to make away with an estimated $21 million. Blockchain investigator Peckshield narrowed down the attack to a compatibility issue or misplaced trust in the swap contract. pic.twitter.com/KJ7u5xoxBp — Transit Swap | Transit Buy | NFT (@TransitFinance) …
Ethereum / Oct. 2, 2022
Here's how to quickly spot a deepfake crypto scam — cybersecurity execs
Crypto investors have been urged to keep their eyes peeled for "deepfake" crypto scams to come, with the digital-doppelganger technology continuing to advance, making it harder for viewers to separate fact from fiction. David Schwed, the COO of blockchain security firm Halborn told Cointelegraph that the crypto industry is more “susceptible” to deepfakes than ever because “time is of the essence in making decisions” which results in less time to verify the veracity of a video. Deepfakes use deep learning artificial intelligence (AI) to create highly realistic digital content by manipulating and altering original media, such as swapping faces in …
Blockchain / Jan. 13, 2023