Ethereum successfully transitioned from Proof of Work (PoW) to Proof of Stake (PoS). A few days after this consensus algorithm change, a hack occurred on Ethereum PoW, a fork of the Ethereum blockchain. This is a version of the network whose consensus algorithm has not changed. It still works on a PoW basis and miners still have a big role to play.
To exchange cryptocurrencies from the main blockchain to the fork, or vice versa, users must go over bridges. These protocols allow assets to be transferred from one blockchain to another. During the process, the deposited cryptocurrencies are locked in a smart contract. In parallel, the equivalent of the locked coins is issued on the destination blockchain. In this way, the user can use his holdings on another blockchain. In this case, they can use ETHW tokens on the main chain or vice versa.
Yes, but here it is: On Sunday, September 18, 2022, three days after the merger, a hacker attacked omnibridge, one of those bridges that connects multiple networks, including the Ethereum blockchains. The attack was quickly identified by researchers at BlockSec, a blockchain security specialist.
1/ Alert | BlockSec detected that the exploits are reproducing the message (call data) of the PoS chain in @EthereumPow. The root cause of the exploit is that the bridge does not properly verify the actual (self-maintaining) chainid of the cross-chain message.
—BlockSec (@BlockSecTeam) September 18, 2022
By exploiting a flaw in the Omnibridge operation, the hacker managed to double the amount of cryptocurrencies deposited. The hacker deposited 200 ETH on the bridge. He quickly withdrew them, but thanks to the loophole, he received 200 ETHW on the Ethereum PoW blockchain. Clearly, he was able to walk away with digital currencies without freezing his holdings in a smart contract. Therefore, the funds were doubled. The attacker made between $8 and $10,000 in the process.
Bridges between forks, the weak link of Ethereum?
Within a blog post, the developers of Ethereum PoW point out that the flaw is not at the blockchain level. The breach, which made cryptocurrency doubling possible, stems from an Omnibridge smart contract.
“There was no ETHPoS and ETHPoS replay attack, which ETHW Core security engineers had anticipated”explain the developers of ETH PoW.
Therefore, the bridge is responsible for the attack. As Chainalysis experts report, ” bridges are a prime target for hackers because they often house a central storage space where cryptocurrencies used to back issued coins on the receiving blockchain are deposited.”
Most registered hacks this year also aimed at bridges. This summer, the ecosystem was notably marked by the nomad trick, which resulted in the disappearance of $190 million in cryptocurrencies. In the case of Nomad, the breach was introduced by an update to a bridge smart contract. Recently, a critical flaw was also detected in the Arbitrum bridge connected to Ethereum. A pirate could have seized the funds in transit on the bridge. Fortunately, the vulnerability was closed before a hacker exploited it.
Other attack vectors
After The Merge, it is no longer the miners who secure the transactions on the Ethereum blockchain. now these are validators who are responsible for securing the network. To become a validator it is necessary to have a minimum of 32 Ethers. These tokens are then deposited as collateral. The validator then receives a reward in ETH, like the miners before the Merge.
“Bet (Editor’s note: single) refers exclusively to a community of Ethereum advocates, who have great technical skills. It is not easy for everyone. Access is not easy”laments Gilles Cadignan, founder of Woleet, a start-up specializing in cybersecurity, during an interview with 01Net.
This is why most validators go through centralized engagement platforms. Many cryptocurrency exchanges offer staking services. This is the case of Coinbase, Binance, BlockFi or even Kraken. Following the merger, the security management of the Ethereum blockchain was centralized considerably. This phenomenon had been widely anticipated by developers, specifies the founder of Woleet.
“Once the merge happened, of the 1000 blocks, 420 blocks were validated by two addresses”Gilles Cadignan stresses.
Among the entities that concentrate a large part of the participation, we find Swimming pool. This is a service that allows anyone to become an Ethereum validator. The protocol has attracted many investors eager to increase their holdings. As a result, Lido has come to concentrate just over 30% of the Ethereum validation market. Also note that the vast majority of assets deposited on Lido are Ethers. Of the $7.8 billion staked in the protocol, $7.61 billion is ETH. However, Lido is not really a centralized player. This is a company that serves asintermediary of almost 30 companies.
With the ubiquity of staking platforms comes ” potential risks of censorship linked to regulation”valued abdeIhamid Bakhta, developer of Ethereum. Specifically, an entity, such as a government, could pressure a validator to induce you to decline transactions. Theoretically, a validator like Lido might have to ” submit to regulationadds the CEO of Woleet.
As a result of the merger, the United States also estimated that the Ethereum blockchain is dependent on US law.. For the Securities and Exchange Commission (SEC), the American financial policeman, all transactions made on Ethereum are considered to be made in the United States. The regulator argues by pointing out that most of the validators are located on US soil. As Etherscan, the site that lets you explore the blockchain, shows, more than 45% of nodes they are in fact housed in the territory of the country. Will validators have to comply with US law in the future?
Ethereum, a blockchain that has become too complex?
Interviewed by us, Gilles Cadignan also mentions the nothing at stake or “nothing to lose”, ” a problem well known to all lovers of consensus algorithms ». This flaw, inherent to Proof of Stake, consists of validating transactions on two forks of a blockchain. To prevent one validator from validating blocks on two networks, the developers implemented the slash. Is about’a system of sanctions which punishes a validator that seeks to validate blocks on multiple branches in parallel.
With such additions, the Ethereum merger would have had considerably complicated block chain code. This greater complexity would open the door to discover possible failures in the future. The rest, ” continuous radical changes » decreed by the developers of Ethereum, and the profusion of forks, would risk weakening the infrastructure.
” Complexity is the enemy of security. The more complicated it is, the greater the risk of failure. And Ether, with PoS, is even more complex, there are even more lines of code. I think there are 100 times more lines of code, goes in all directions », explains Gilles Cadignan, emphasizing that it is enough that there “a problem keeping it all together”.