Update: On Tuesday, Sep. 20, Binance completed the distribution of Ethereum proof-of-work tokens to eligible ETH holders following the merge. ETHW price has been increasing since reaching a low of $3.88 on Monday.
According to BlockSec, which first discovered the attack, the exploit happened because the bridge did not correctly verify the actual chainID of the cross-chain message.
The exploiter first transferred 200 WETH through the Omnibridge of the Gnosis chain. Then, the same transaction was replayed on the PoW chain to get an extra 200 ETHW.
According to the blockchain security firm, the attacker could drain the balance of the contract on the PoW chain.
CertiK further stated that the exploiter has transferred the funds to MEXC.
ETH PoW team says the transaction replay was not on chain level
ETH PoW’s official Twitter account has acknowledged the attack stating that it is not a transaction replay on the chain level. Instead, it is due to the call data replay caused by a flaw in the contract.
The team said:
“(We) Had tried every way to contact Omni Bridge yesterday. Bridges need to correctly verify the actual ChainID of the cross-chain messages.”
Meanwhile, a chain-level replay attack is impossible on the ETHPOW chain as the network enforced EIP-155 before the hard fork. This means that transactions on the ETH proof-of-stake chain cannot be re-enacted on the POW chain or Vice versa.
However, the fact that the exploit is not happening on the chain level might not matter much. The PoW fork has only been live for less than 72 hours and experiencing an exploit this early could affect its potential for more adoption.
ETHW sheds 18%
According to Peckshield, ETHW shed 12% of its value on the back of the news.
In the last 24 hours, the ETHW token dropped by 17.8%. The token has seen its value massively decline by more than 80% within the last two weeks. As of Sep. 20, ETHW had listed on most major centralized exchanges including Binance, FTX, and OKX. The price has since continued to decline at was sitting at $5.94 at the time of this update.