Ethereum PoW Fork Suffers its First Smart Contract Hack

The Ethereum PoW fork is off to a rocky start — one of the network’s smart contracts has endured a hack, triggering collapsing prices

article-image

Source: Shutterstock

share

key takeaways

  • An attacker has raided ETHW from a smart contract on the Ethereum proof-of-work fork
  • Cybersecurity researchers warn similar attacks could occur on other ETHW smart contracts

ETHPoW (ETHW), the fledgling proof-of-work (PoW) Ethereum fork, has seen its first significant smart contract hack since the network split late last week.

Blockchain security infrastructure firm BlockSec first alerted users of a so-called ‘replay attack’ on Sunday, which leveraged legitimate transactions on the proof-of-stake (PoS) Ethereum blockchain alongside DeFi application Gnosis and multi-token extension OmniBridge.

Replay attacks and exploits can occur when cryptocurrencies — in this case wrapped ether (WETH) and ETHW — are treated as the same asset, even though they technically exist on completely separate blockchains.

Ethereum transitioned its PoW-powered consensus model to PoS with a hard fork last Thursday. This formally ditched crypto miners in favor of collateralized validators, who, rather than run power-hungry GPU miners, stake crypto in the network for the right to process transactions.

In a bid to continue mining, some Ethereum participants opted to support a PoW fork in ETHW, a network which when deployed mirrored every single Ethereum-bound asset, including ether, NFTs and smart contracts underpinning protocols such as Gnosis and OmniBridge.

BlockSec told Blockworks the attack was not a replay exploit “on the chain level” but rather one resulting from a contract vulnerability. This means neither Gnosis nor the Ethereum and ETHW networks were hacked. Instead, the OmniBridge smart contract on the proof-of-work fork mistakenly paid out funds.

First, the exploiter transferred 200 wrapped ether (WETH), currently worth $260,000, through the Ethereum blockchain’s OmniBridge protocol to the Gnosis network. 

The hack consisted of replaying the same transaction message on the Ethereum PoW fork to receive 200 ETHW from that network’s copy of the OmniBridge smart contract.

ETHW markets tanked about 40% after word of the exploit first broke — from $8 to $5. It’s unclear whether the attacker cashed out the 200 ETHW stolen in the attack but it’s now worth about $1,000.

The attack was possible due to the OmniBridge on the PoW chain still accepting transactions that reference the proof-of-stake Ethereum blockchain’s “chainID,” a variable that serves as a unique identifier for different blockchain networks. The PoW fork uses a different chainID to help separate actions between the two networks.

“As a result, the balance of the chain contract deployed on the PoW chain would be drained,” BlockSec wrote. Security researchers warned such attacks could occur on ETHW in the leadup to the fork.

Gnosis co-founder Martin Koppelmann later tweeted to say that both Gnosis and Ethereum were in “no way affected.” 

“We do not support the (ETHW) chain and do not see us responsible for what is happening on that chain,” Koppelmann said. He said the attacker had spun up false bridge activity to drain funds on ETHW.

A suggestion to deactivate the bridge’s links to ETHW, effectively closing this particular security loophole, will be put forth to the governance team overseeing OmniBridge, he said. BlockSec warned in a blog that similar incidents could occur elsewhere across the ETHW network.

ETHW Core, the stewards of ETHW,  confirmed Sunday the attack involved a bridge contract vulnerability and had notified OmniBridge “in every way” to inform them of the risks but had yet to receive a response.


Don’t miss the next big story – join our free daily newsletter.

Tags

    Upcoming Events

    Hilton Metropole | 225 Edgware Rd, London

    Mon - Wed, March 18 - 20, 2024

    Crypto’s premier institutional conference returns to London in March 2024. The DAS: London Experience: Attend expert-led panel discussions and fireside chats Hear the latest developments regarding the crypto and digital asset regulatory environment directly from policymakers and experts.

    Salt Lake City, UT

    WED - FRI, OCTOBER 9 - 11, 2024

    Pack your bags, anon — we’re heading west! Join us in the beautiful Salt Lake City for the third installment of Permissionless. Come for the alpha, stay for the fresh air. Permissionless III promises unforgettable panels, killer networking opportunities, and mountains […]

    recent research

    Research report - cover graphics (1).jpg

    Research

    In this report, we dive into crypto private market data to gather insights on where the future of the industry is headed. Despite a notable downturn in private raises, capital continues to infuse promising projects that aim to transform payments, banking, consumer experiences, community, and more, with 2023 being the fourth-largest year for crypto venture capital.

    article-image

    BUZZ holds shares of Coinbase, Robinhood and MicroStrategy

    article-image

    Opinion: Even though I didn’t pay for my “Diamond Hands” burger with BTC, don’t let that fool you into thinking that crypto’s development is futile

    article-image

    The results mark “a major positive inflection point,” one analyst says, as the exchange carries net income momentum into a crypto rally

    article-image

    While the slate of 10 US spot bitcoin funds have tallied $4.6 billion of net inflows thus far, half of the field is lagging the leaders

    article-image

    Trading volumes totalled $154 billion in Q4, including $125 billion in institutional volume

    article-image

    DeFi on Bitcoin is all the rage right now and Stacks is positioned to benefit