WARNING: If the ETHPoW ChainID is not updated as planned, there is a risk of relay attacks against individual user wallets. With such an attack, the user loses $ETH equivalent to her ETHPoW sold.
Recent concerns over The Merge were exacerbated after it was discovered that Ethereum’s Proof of Work chain had not updated its ChainID to a unique number. The team behind ETHPoW updated his GitHub on Friday morning and said it would use ChainID ‘10001’ after the merge.
However, the team claimed that ChainID will remain 1 (same as Ethereum mainnet) until the day of The Merge, in response to Coinbase requesting an update.
“Because chainID 1 is required to validate a block’s chain data before merging, and all chain data after merging will be chainID 10001, the code mentioned in the comment above should be kept.”
If ETHPoW keeps the same ChainID and nonce as the mainnet, there is a risk of losing funds when users try to trade the received ETHPoW tokens.
CryptoSlate spoke with CEO and CTO of Temoc Webber and Igor Mandrigin. Gateway.fm Respectively for the possibility of a relay attack through the ETHPoW chain. Gateway.fm is a web3 infrastructure company focused on building decentralized RPC solutions that don’t rely on centralized services such as AWS.
During the conversation, Mandrigin said there was “no reason” for the ETHPoW team not to update their code before The Merge. “They could fork it today,” he argued, then suggested a simple solution.
We just added some code to allow ETHPoW to use the ChainID until the TTD of The Merge is reached, after which it can automatically change the ChainID back to ‘10001’.
A few simple lines of code can help the Ethereum community relax, knowing that ETHPoW is not ready to cause chaos after the mainnet merger. However, the opposite comes from being blocked by his Twitter account on Ethereum PoW after his Core Ethereum developer, Lefteris Karapetsas, pointed out the problem of not changing the ChainID in a timely manner. seems to have been confirmed.
You will be blocked if you point out that ETHPoW is incompetent and causes people to lose their funds.
Everything you need to know about that chain. Use them at your peril. https://t.co/E1SBpSb5ux pic.twitter.com/CYUZL5Ye1Y
Lefteris Carapetzas | @rotkiapp (@LefterisJP) Now recruiting September 9, 2022
If the ETHPoW ChainID and nonce are not updated, all transactions that occur on the ETHPoW chain may be duplicated on the mainnet. Here’s an example of how this could be abused:
- Prior to The Merge, malicious actors set up empty upgradable proxy smart contracts on Ethereum Mainnet.
- After The Merge, malicious actors upgrade the ETHPoW smart contract to allow users to sell ETHPoW at a premium of $500 per ETHPoW.
- On Ethereum mainnet, malicious actors upgrade smart contracts to send received ETH to Tornado cache.
- The ETHPoW smart contract is marketed as the best DEX to trade ETHPoW, with users selling ETHPoW in USDT for $500 per ETHPoW.
- If the same ChainID, nonce, and private key are identical, the transaction will also take place on the Ethereum mainnet. However, the mainnet contract has been updated to send ETH to Tornado Cash and not return USDT.
- User has USDT in ETHPoW but nothing in mainnet wallet. Given that USDT does not support her ETHPoW, the user has basically been stuck with ETHPoW and ETH.
A warning for those planning to discard ETHPoW tokens received after The Merge.
Please pay attention to whether the ChainID of ETHPoW is updated before trading. ChainID should be “10001” not “1”. If your ChainID is ‘1’, you risk losing funds from your mainnet Ethereum wallet.