Ethereum: first hack following The Merge, is cryptocurrency in danger?

Ethereum has successfully transitioned from Proof of Work (PoW) to Proof of Stake (PoS). A few days after this consensus algorithm change, a hack took place on Ethereum PoW, a fork of the Ethereum blockchain. This is a version of the network whose consensus algorithm has not changed. It still works on a PoW basis and miners still have an important role to play.

To exchange cryptocurrencies from the main blockchain to the fork, or vice versa, users must to pass over bridges. These protocols make it possible to transfer assets from one blockchain to another. During the process, the deposited cryptocurrencies are locked in a smart contract. In parallel, the equivalent of the blocked currencies is issued on the destination blockchain. This way, the user can use their holdings on another blockchain. In this case, they can use ETHW tokens on the main chain, or vice versa.

Yes, but here it is: on Sunday September 18, 2022, three days after the Merge, a hacker attacked OmniBridge, one such bridge that connects multiple networks, including Ethereum blockchains. The attack was quickly identified by researchers at BlockSec, a blockchain security specialist.

By exploiting a flaw in the operation of Omnibridge, the hacker managed to double the amount of cryptocurrencies deposited. The hacker deposited 200 ETH on the bridge. He quickly withdrew them, but thanks to the loophole, he received 200 ETHW on the Ethereum PoW blockchain. Clearly, he was able to walk away with digital currencies without freezing his holdings in a smart contract. The funds were therefore duplicated. The attacker earned between $8 and $10,000 in the process.

Read also: Why it is no longer profitable to mine cryptocurrencies with a graphics card

Bridges between forks, Ethereum’s weak link?

In a blog post, Ethereum PoW developers point out that the flaw is not at the blockchain level. The breach, which made it possible to duplicate cryptocurrencies, does indeed come from a smart contract from the Omnibridge bridge.

“There was no replay attack from ETHPoS and to ETHPoS, which ETHW Core security engineers had anticipated”explain the developers of ETH PoW.

The bridge is therefore responsible for the attack. As Chainalysis experts report, bridges are a prime target for hackers because they often host a central storage space where the cryptos used to support the currencies issued on the receiving blockchain are deposited”.

Most recorded hacks this year also aimed at bridges. This summer, the ecosystem was particularly marked by the hack of Nomad, which resulted in the disappearance of 190 million dollars in cryptocurrencies. In the case of Nomad, the breach was introduced by an update to a bridge smart contract. Recently, a critical flaw was also spotted in the Arbitrum bridge connected to Ethereum. A pirate could have seized the funds in transit on the bridge. Fortunately, the vulnerability was closed before a hacker exploited it.

Other attack vectors

Following The Merge, it is no longer miners who secure transactions on the Ethereum blockchain. Now these are validators who are responsible for securing the network. To become a validator, it is necessary to have a minimum of 32 Ethers. These tokens are then deposited as collateral. The validator then receives a reward in ETH, like the miners before the Merge.

“Staking (Editor’s note: individual) exclusively concerns a community of Ethereum defenders, who have great technical skills. It’s not easy for everyone. Access is not easy”regrets Gilles Cadignan, founder of Woleet, a start-up specializing in cybersecurity, during an interview with 01Net.

This is why most validators go through centralized staking platforms. Many cryptocurrency exchanges offer staking services. This is the case of Coinbase, Binance, BlockFi or even Kraken. Following the merger, the management of the security of the Ethereum blockchain was therefore considerably centralized. This phenomenon had been widely anticipated by the developers, specifies the founder of Woleet.

“Once the Merge passed, out of the 1000 blocks, 420 blocks were validated by two addresses”emphasizes Gilles Cadignan.

Among the entities that concentrate a large part of the staking, we find Lido. This is a service that allows anyone to become an Ethereum validator. The protocol has attracted many investors keen to grow their holdings. As a result, Lido has taken to concentrating just over 30% of the Ethereum validation market. Note also that the vast majority of assets deposited on Lido are Ethers. Of the $7.8 billion in staking on the protocol, $7.61 billion is ETH. However, Lido is not really a centralized player. This is a firm that serves asintermediary to nearly 30 companies.

The concentration of staking © Bitwise Asset Management

With the ubiquity of staking platforms comes ” potential risks of censorship linked to regulation”valued Abdelhamid Bakhta, developer of Ethereum. Concretely, an entity, such as a government, could put pressure on a validator to induce him to refuse transactions. Theoretically, a validator like Lido might have to submit to regulation”adds the CEO of Woleet.

In the wake of the merger, the United States also estimated that the Ethereum blockchain depends on US law. For the Securities and Exchange Commission (SEC), the American financial policeman, all transactions carried out on Ethereum are considered to take place in the United States. The regulator argues by pointing out that most validators are located on American soil. As Etherscan, the site that allows you to explore the blockchain, shows, more than 45% of nodes are in fact hosted on the territory of the country. Will validators have to comply with US legislation in the future?

Ethereum, a blockchain that has become too complex?

Interviewed by us, Gilles Cadignan also mentions the Nothing at Stake or “nothing to lose”, ” a problem well known to all lovers of consensus algorithms ». This flaw, inherent in the Proof of Stake, consists in validating transactions on two forks of a blockchain. To prevent a validator from validating blocks on two networks, the developers implemented the slashing. This is’a penalty system which punishes a validator who seeks to validate blocks on several branches in parallel.

With additions of this ilk, the Ethereum merger would have considerably complicated the code of the blockchain. This increased complexity would open the door to discovering potential flaws in the future. Furthermore, ” continuous radical changes » decreed by Ethereum developers, and the profusion of forks, would risk weakening the infrastructure.

Complexity is the enemy of security. The more complicated it is, the greater the risk of flaws. And Ether, with PoS, it’s even more complex, there are even more lines of code. I think there are 100 times more lines of code, it goes in all directions “, explains Gilles Cadignan, emphasizing that it is enough that there is “one problem to keep it all together”.

We want to give thanks to the writer of this post for this amazing content

Ethereum: first hack following The Merge, is cryptocurrency in danger?

You can find our social media profiles here , as well as other pages related to them here.