A replay attack against Omni bridge resulted in a hacker exploiting 200 WETH from the Ethereum PoW chain.
On Sept. 18, security firm BlockSec identified a replay attack launched against the Ethereum PoW chain.
The attacker transferred 200 WETH from the Ethereum PoS chain through the Omni bridge. The transaction was reportedly replicated on the Ethereum PoW chain.
3/ The exploiter (0x82fae) first transferred 200 WETH through the omni bridge of the Gnosis chain, and then replayed the same message on the PoW chain and got extra 200 ETHW. As a result, the balance of the chain contract deployed on the PoW chain would be drained.
— BlockSec (@BlockSecTeam) September 18, 2022
Omni bridge failed to validate the actual chainID before approving the transaction. As a result, the PoW chain was drained of 200 WETH.
According to security firm Certik, the attacker has transferred the funds through Mexc Global for possible cash out.
EthereumPoW is Safu
From the TX hash of the exploit, the ETHPoS and ETHPoW had different transaction data.
ETHW Core developers clarified that the replay attack was impossible against EthereumPoW as it enforced EIP-155.
By design, EIP-155 includes the chainID of a transaction to avoid replays of the transaction on different chains.
ETHW Core added that the attack exploited a contract vulnerability of the Omni bridge. The bridge has been informed to address the issue.
Slow adoption for ETHW
Since launching on Sept. 15. Ethereum PoW has not gathered much adoption from the crypto community.
Leading exchanges like FTX, OKX, and Bybit rallied around to see that spot trading opened for the ETHW token on Sept. 16. As a result, ETHW price reached an all-time high of $60.68.
However, with the general market decline and low excitement post-merge, ETHW has fallen below $5, shedding off over 90% of its all-time high gain as press time.
Grayscale investment hinted at plans to sell off its 3.1 million ETHPoW airdrop tokens. The firm said it will sell the tokens and redistribute the proceeds to shareholders.