EthereumPOW is a version of the Ethereum blockchain that continues to run on the proof-of-work (PoW) consensus mechanism, experienced another exploit over the weekend due to an erroneous third-party contract.
The developers of EthereumPOW were alerted to the problems and immediately took steps to fix this problem. The blockchain was created as a fork of the Ethereum network, which switched to the proof-of-stake (PoS) consensus mechanism on Thursday. The exploit refers to the same transaction duplicated in both chains. This means that if a user made transactions on Ethereum PoW, the same was done on Ethereum PoS, which ultimately allows attackers to illegally cheat smart contracts to issue tokens from one chain, even if the actual transaction was performed on another chain.
The attackers used the Omni bridge of the Gnosis network for the exploit. About 200 wETH were transferred across the bridge on Saturday, and the same transaction was replicated in the PoW chain, resulting in the attacker receiving 200 ETHW, or approximately $1,600 at that time.
"Erroneous data from the Ethereum PoW network chain identifier used in the contract caused the problem", security firm BlockSec tweeted. The chain identifier is a set of numbers used by the MetaMask browser-based crypto wallet to sign transactions over the network. An incorrect chain ID causes transactions to fail because users are not connected to the correct network, making the network unusable.
BlockSec warned that the problem could eventually lead to the remainder of the contract deployed in the PoW chain being "depleted". Meanwhile, the developers of EthereumPOW said in a Sunday post that the attack exploited the vulnerability of the bridge contract, and not their blockchain itself.
"We have contacted the bridge in all respects and informed them of the risks," the statement said. "Bridges should check the actual ChainID of cross messages," the developers wrote.
Thus, on the first day, the network experienced failures when users claimed that they could not access the blockchain servers using publicly available information provided by Ethereum PoW. ETHW tokens have fallen in the last 24 hours after the exploit, dropping by about 37% and increasing weekly losses to more than 80%, CoinGecko data show.