Replay Attacks: What to Consider Before Selling Your Post-Merge ETH Fork Tokens

Ethereum inflows

Ethereum, the blockchain behind the world’s second-largest crypto asset of the same name, will almost certainly split, creating two separate coins running on two separate chains: proof-of-work (PoW) and proof-of-stake (PoS). 

Such a split, often influenced by divergent views among crypto community members, is referred to as a ‘hard fork.’ Or just ‘fork.’ Some Ethereum miners reluctant to get rid of the old consensus mechanism have now signaled plans to ‘fork’ the blockchain once it ‘Merges’.

Forking Ethereum

“The chain will split. Ethereum will continue normally on PoS, and miners will fork it and create $ETHW,” tweeted pseudonymous DeFi strategist Olimpio.

What this means, Olimpio explained, is that the entire Ethereum blockchain will have two identical instances – all Ether, ERC20 tokens, and transactions, as well as all DeFi positions will exist in proof-of-work and proof-of-stake.

Users that held ethereum before the Merge may automatically receive a balance of tokens of the new proof-of-work forks in their wallets. The process of claiming these tokens will vary depending on the chain.

Assets on a centralized exchange such as Poloniex or Coinbase will likely receive the forked tokens without much hustle, should the exchange decide to list those specific tokens.

Olimpio cautioned that while forked tokens can be bought or sold, “it’s probably unnecessary risk and probably not worth it.” He expects PoW Ethereum forks to collapse right after the Merge because “miners promoting PoW ethereum don’t seem very competent.”

Or you could fall victim to unintended replays, he says.

What are replay attacks?

According to experts, a replay attack happens when bad actors sneak up on a secure network connection and intercept it, giving them access to delay or resend another data transaction to subvert the receiver.

In the context of the Merge, replay attacks are a realistic possibility. “Transactions signed and submitted to the PoS and PoW chains will be identical and can be executed on both chains,” Web3 security firm Quantstamp Labs explained in a blog post.

This could have multiple consequences. Users might sign away their non-fungible tokens or ERC20 tokens on decentralized exchanges (DEX) to an attacker unawares. Essentially, any transaction on Ethereum could be affected, it said.

For example, imagine you send 100 proof-of-stake ether to an exchange like Poloniex to sell, Olimpio says a bot can send your 100 real ETH on the Ethereum mainnet to the same Poloniex address.

“In this particular example, what will happen is that funds might not be lost forever (since Poloniex holds all the keys), but chaos and uncertainty will most likely occur, driving attention away from the real, tangible, and important milestone accomplished that day [the Merge],” he stated.

However, “attackers cannot freely withdraw assets from user accounts following the Merge without the users themselves creating suitable conditions for the attackers.”

Quantstamp said this was an issue at the protocol level, “regardless of whether the account’s private keys are managed by a hot wallet (such as MetaMask), a hardware wallet, or a custody provider…”

How to avoid unintended replays

“I would 100% stay out of ETH proof-of-work,” Olimpio advised. However, for those users that ‘insist’ on interacting with PoW fork tokens, it is possible to protect against unintended replays.

Ensure that transactions signed on one chain (PoW or PoS) will naturally fail if replayed on the other chain. To do that, Quantstamp Labs suggested moving all assets on both chains to new accounts dedicated to those chains. It is the most effective approach, it says.

Olimpio explained how.

“After the Merge, send your ETH on proof–of-stake from your main wallet to a second wallet you control. Now you send your proof-of-work ether to Poloniex to dump. If someone tries to replay this on PoS, the transaction will fail since you already moved it before to your second wallet.”

The transfer will need to occur on both the PoW and PoS chains. “If it occurred on only one chain, an attacker could replay the transfer on the other chain and execute the attack the exactly same way,” Quantstamp added.

It discounted the use of nonces as a sufficient fix for replay attacks. A nonce is a number in the sequence of transactions sent by an account over the Ethereum network. The very first transaction from an account has nonce 0. Every transaction after that increases the nonce by 1, meaning there can be no gaps.

Nonce divergence proponents argue that if one chain advances the nonce for an account, the other chain will be behind in the transaction sequence, and therefore, the attempt to replay transactions would fail because of the gap in the nonces.

But “if the attacker is able to execute transactions on the other chain and make the nonces of the account match, replays would be possible again,” said Quantstamp.

What will the fork mean for ETH on layer two protocols?

“Nothing. All safe. Unaffected,” Olimpio asserted.

A layer two (L2) is a separate blockchain that extends Ethereum – meaning it helps to scale the Ethereum blockchain by improving transaction speeds and lowering transaction costs.

There is a total of more than $5.1 billion worth of ETH locked in layer two protocols, as per data from the Ethereum Foundation website.

“Most of the L2s have centralized components to them,” Brian Pasfield, CTO of Fringe Finance, told Be[In]Crypto.

“Therefore I do not think many are considering the risks that Ethereum’s move to PoS poses insofar as it introduces additional attack surfaces for authorities…which will result in transaction censorship,” he added.

For Be[In]Crypto’s latest Bitcoin (BTC) analysis, click here.

Disclaimer

All the information contained on our website is published in good faith and for general information purposes only. Any action the reader takes upon the information found on our website is strictly at their own risk.