Trading ETHPoW tokens could open users to risk of losing Mainnet $ETH

Warning: There is a risk of relay attacks on individual users’ wallets if the ETHPoW ChainID is not updated as planned. Such attacks will cause users to lose $ETH equivalent to the ETHPoW sold.

Recent concerns over The Merge were exacerbated after discovering that the Ethereum proof-of-work chain had not updated its ChainID to a unique number. The team behind ETHPoW updated its GitHub on Friday morning to state that it would use the ChainID ‘10001’ after the Merge.

However, the team asserted that the ChainID would remain at ‘1’ (the same as Ethereum Mainnet) until the day of The Merge in response to Coinbase requesting it be updated.

“The code you mentioned in the above comments has to keep because chainID 1 is needed to validate chain data for blocks before the merge, and all chain data after the merge will be chainID 10001.”

Should ETHPoW retain the same ChainID and nonce as Mainnet, users could risk losing funds when they try to trade any ETHPoW tokens they may receive.

CryptoSlate spoke to Temoc Webber and Igor Mandrigin, CEO and CTO of Gateway.fm respectively about the potential for relay attacks through the ETHPoW chain. Gateway.fm is a web3 infrastructure company focused on building decentralized RPC solutions that do not rely on centralized services such as AWS.

During the conversation, Mandrigin stated that there is “no reason” for the ETHPoW team not to update the code before The Merge. “They could fork it today,” he asserted before suggesting a simple solution:

“You could simply add some code that allows ETHPoW to use ChainID until the TTD of The Merge is reached and then automatically revert to a ChainID of ‘10001.’”

Adding a few simple lines of code would allow the Ethereum community to relax, knowing that ETHPoW is not preparing to create chaos on Mainnet post-merge. However, the opposite appears to be confirmed as a core Ethereum developer, Lefteris Karapetsas, was blocked by EthereumPoW’s Twitter account after pointing out the issues with not changing the ChainID in good time.

If the ChainID and nonce of ETHPoW are not updated, then any trades that occur on the ETHPoW chain could be replicated on Mainnet. Here is an example of how this could be exploited.

  1. A malicious actor sets up an empty upgradeable proxy smart contract on Ethereum Mainnet prior to The Merge.
  2. After The Merge, the malicious actor upgrades the ETHPoW smart contract to allow users to sell their ETHPoW at a premium of $500 per ETHPoW.
  3. On Ethereum Mainnet, the malicious actor upgrades the smart contract to send any ETH it receives to Tornado Cash.
  4. The ETHPoW smart contract is marketed as the best DEX to trade ETHPoW, and users sell their ETHPoW for USDT for $500 per ETHPoW.
  5. The trade also goes through on the Ethereum Mainnet, given that the same ChainID, nonce, and private keys are identical. However, the Mainnet contract has been updated to send the ETH to Tornado Cash and not return any USDT.
  6. The user now has USDT on ETHPoW and nothing in their Mainnet wallet. Given that USDT does not support ETHPoW, the user has essentially been rugged of their ETHPoW and ETH.

A word of warning for anyone planning to dump any ETHPoW tokens they receive after The Merge.

Pay attention to whether the ChainID of ETHPoW has been updated before you transact. The ChainID should NOT be ‘1’ but ‘10001.’ If the ChainID is ‘1’, you risk losing funds from your Mainnet Ethereum wallet.

Source: https://cryptoslate.com/trading-ethpow-tokens-could-open-users-to-risk-of-losing-mainnet-eth/