Publish-Ethereum Merge proof-of-work (Bang) chain ETHW has gone to live in quell claims it had endured an on-chain replay attack over the past weekend.
Smart contract auditing firm BlockSec flagged what it really described like a replay attack that required put on Sept. 16, by which attackers harvested ETHW tokens by replaying the phone call data of Ethereum’s proof-of-stake (PoS) chain around the forked Ethereum Bang chain.
Based on BlockSec, the main reason for the exploit was because of the fact the Omni mix-chain bridge around the ETHW chain used old chainID and it was not properly verifying the right chainID from the mix-chain message.
Ethereum’s Mainnet and test systems use two identifiers for various uses, namely, a network ID along with a chain ID (chainID). Peer-to-peer messages between nodes utilize network ID, while transaction signatures utilize chainID. EIP-155 introduced chainID as a way to avoid replay attacks between your ETH and Ethereum Classic (ETC) blockchains.
1/ Alert BlockSec detected that exploiters are replaying the content (calldata) from the PoS chain on @EthereumPow. The main reason for the exploitation would be that the bridge does not properly verify the particular chainid (that is maintained alone) from the mix-chain message.
— BlockSec (@BlockSecTeam) September 18, 2022
BlockSec was the very first analytics plan to flag the replay attack and notified ETHW, which rapidly rebuffed initial claims that the replay attack have been transported on-chain. ETHW made tries to inform Omni Bridge from the exploit in the contract level:
Had attempted every method to contact Omni Bridge yesterday.
Bridges have to properly verify the particular ChainID from the mix-chain messages.
Again this isn’t a transaction replay around the chain level, it’s a calldata replay because of the flaw from the specific contract. https://t.co/bHbYR4b2AW pic.twitter.com/NZDn61cslJ
— EthereumPoW (ETHW) Official #ETHW #ETHPoW (@EthereumPoW) September 18, 2022
Research into the attack says the exploiter began by transferring 200 WETH with the Omni bridge from the Gnosis chain before replaying exactly the same message around the Bang chain, netting an additional 200ETHW. This led to the total amount from the chain contract deployed around the Bang chain being drained.
Related: Cross-chains within the crosshairs: Hacks demand better disease fighting capability
BlockSec’s research into the Omni bridge source code demonstrated the logic to ensure chainID was present, however the verified chainID utilized in anything was pulled from the value kept in the storage named unitStorage.
They described this wasn’t the right chainID collected with the CHAINID opcode, that was suggested by EIP-1344 and exacerbated through the resulting fork following the Ethereum Merge:
“This is most likely because of the fact the code is very old (using Solidity .4.24). The code works fine constantly before the fork from the Bang chain.”
This permitted attackers to reap ETHW and potentially other tokens of the bridge around the Bang chain and will continue to trade these on marketplaces listing the appropriate tokens. Cointelegraph has arrived at out BlockSec to determine the worth extracted throughout the exploit.
Following Ethereum’s effective Merge event which saw the smart contract blockchain transition from Bang to PoS, several miners made the decision to carry on the Bang chain via a hard fork.