Blockchain security firm BlockSec has detected a replay exploit on the Ethereum Proof of Work (POW) blockchain which was formed 24 hours after the Ethereum Merge last week.

The cybersecurity firm pointed out that the attacker got an extra 200 ETHW tokens after they successfully replayed a message from the Proof-of-Stake Ethereum chain on the Ethereum Proof-of-Work chain.

"BlockSec detected that exploiters are replaying the message (calldata) of the PoS chain on @EthereumPow. The root cause of the exploitation is that the bridge doesn't correctly verify the actual chainid (which is maintained by itself) of the cross-chain message," said the firm via a Twitter post Sunday.

Additionally, BlockSec confirmed that the attack was implemented successfully because the bridge between the two chains was not able to accurately verify the origin of the cross-message and the chain ID which makes each blockchain distinct from the other. As a result, a replay attack was witnessed.

"The exploiter (0x82fae) first transferred 200 WETH through the omni bridge of the Gnosis chain, and then replayed the same message on the PoW chain and got extra 200 ETHW," BlockSec revealed.

In a Medium blog on Sept. 18, the ETHPoW blockchain developer team confirmed that the attacker did not compromise the newly-formed blockchain itself but they used the contract vulnerability in the bridge.

"ETHW itself has enforced EIP-155, and there is no replay attack from ETHPoS and to ETHPoS, which ETHW Core's security engineers have planned in advance," the ETHW Core developers said in the blog. "We have contacted the bridge in every way and informed them of the risks. Bridges need to correctly verify the actual ChainID of the cross-chain messages."

According to the data from CoinMarketCap, the ETHW token was down 36.79% in the last 24 hours following the news of the exploit, and the price of 1 ETHW token as of 12:32 a.m. ET was around $5.22.

Enthusiasts hope a greener ethereum will spark wider acceptance
AFP