In brief—
Events Under the Spotlight 🔎
Ethereum Fork ETHPoW Suffers Bridge Replay Exploit
A replay attack against Omni bridge resulted in a hacker exploiting 200 WETH from the Ethereum PoW chain.
The attacker transferred 200 WETH from the Ethereum PoS chain through the Omni bridge.
The transaction was reportedly replicated on the Ethereum PoW chain.
Steps:
It was observed from the Omni bridge source code that the logic to verify chainID was present, but the verified chainID used in the contract was pulled from a value stored in the storage named uintStorage.
function _isDestinationChainIdValid(uint256 _chainId) internal returns (bool res) { return _chainId == sourceChainId(); }/** * Internal function for retrieving chain id for the source network * @return chain id for the current network */function sourceChainId() public view returns (uint256) { return uintStorage[SOURCE_CHAIN_ID]; }
Chain IDs are a network's fingerprint and let blockchains establish the distinct identification of on-chain assets. They were developed in 2016 to support the hard fork of Ethereum Classic.
It was found that the chain ID assigned by ETHPoWs was erroneous and that a testnet for Bitcoin Cash was already using it.
The exploiter used this opportunity to send 200 WETH across the Omnibridge of the Gnosis chain. The identical transaction was then carried out again on the PoW chain to earn 200 more ETHW.
The money was then transferred to MEXC by the offender.
CoinDCX Twitter Account Exploited
As CoinDCX tried to take control of its compromised Twitter account, it put out an alert through another Twitter handle, @CoinDCX _Cares.
It was also retweeted by CoinDCX officials, including CEO Sumit Gupta.
The message cautioned the followers of the exploited status of its Twitter account and warned them not to click on any link or notice they may receive from the Twitter handle @CoinDCX today.
To make it look natural, the exploiters retweeted official posts of Ripple Labs CEO Brad Garlinghouse and replied to tweets with scam/phishing links.
Users who click on the links in these posts may lose their funds to the scam.
Wintermute, Crypto Market Maker, Loses $160M
CEO Evgeny Gaevoy tweeted early on Tuesday morning that—
“the business was dealing with an ongoing hack that has emptied the money from its decentralised finance (DeFi) operations.”
WinterMute’s $160M Exploit Analysis | QuillAudits