What is Replay Attack? Possible impacts on your Ethereum NFTs & precaution

The second largest blockchain Ethereum is now weeks away from the long-awaiting merge. The upcoming update marks the complete transition of the blockchain from proof-of-work (PoW) to proof-of-stake (PoS). It is unarguably one of the biggest milestones to happen in the cryptocurrency space, given that Ethereum is among the largest and most pioneering PoW blockchains.

Many Ethereum users, holders, and crypto enthusiasts are excited about the merge in September, as it will potentially improve the overall scalability of the network, among other relevant functions. Amidst the euphoria, there have been arguments and speculations on the possible fundamental and technical implications of the upcoming merge to the beacon chain.

One of the most discussed outcomes of the event is Replay Attack. In this article, we explain what a Replay attack means and how you can secure your NFTs. 

What is a Replay attack?

A Replay attack is commonly referred to as a man-in-the-middle attack. It happens when a hacker or malicious actor secretly connects, intercepts, and tweaks data on a secure network so that the data/transaction is delayed or repeated to the detriment of the originator. Replay attacks can also happen in the blockchain space, especially during chain splits or hard forks. 

After the merge, there would be two functioning chains/copies of the Ethereum blockchain and Ethereum PoS (new chain) and Ethereum PoW (old chain). Due to these chain splits, assets on the current Ethereum network, including non-fungible tokens, will be duplicated to the PoS chain. This means the NFTs you currently hold will be duplicated, which consequently opens up the chances of a Replay attack. 

How?

Assuming the would-be old Ethereum PoW thrives with miners support and new ChainID, transactions from the PoW chain can be replicated or replayed on the new Ethereum PoS blockchain, which is risky and can result in loss of assets.

If you send 100 ETHPoW on the POW chain from your wallet to a friend, then your friend could broadcast the same transaction in the POS chain and send himself 100 original ETH to his same wallet, a DeFi expert narrated. 

NFTs are also vulnerable to such an attack. The transaction attributes of a duplicated NFT on the Ethereum PoW can be replayed on the PoS chain, enabling the malicious actor to claim the main asset on the Ethereum PoS network. Replay attacks on Ethereum assets could wreak havoc in the crypto market, although many experts speculate that the chances are slim based on predictions that EthPoW may not survive long.

The best bet will be to mitigate your exposure to such an attack if you are currently holding an Ethereum asset. 

Precaution to possible Ethereum Replay attacks

Here are some of the ways you can mitigate the chances of getting Replay attacks and protect your assets on both PoS and PoW Ethereum blockchains

Use different wallets for PoW and PoS

The possibility of getting Replay attacked is much higher if you leave or trade the assets duplicated NFTs or tokens in a single wallet. You need to create and use different wallets for each chains. 

  • Create two wallets (B) and (C). Transfer all your assets from the main wallet (A) to wallet B just before the merge.
  • After the merge, you can transfer all assets from wallet B to the main wallet (A) for the PoS chain.
  • Then, transfer all PoW assets from wallet B to C, the latter becomes your primary wallet for trading on the PoW chain. 

The idea is to not have/use the assets in one wallet. 

Another option to preventing Replay attacks would be messing up the transaction nounces, which might be technical.

!function(f,b,e,v,n,t,s)
{if(f.fbq)return;n=f.fbq=function(){n.callMethod?
n.callMethod.apply(n,arguments):n.queue.push(arguments)};
if(!f._fbq)f._fbq=n;n.push=n;n.loaded=!0;n.version=’2.0′;
n.queue=[];t=b.createElement(e);t.async=!0;
t.src=v;s=b.getElementsByTagName(e)[0];
s.parentNode.insertBefore(t,s)}(window, document,’script’,
‘https://connect.facebook.net/en_US/fbevents.js’);
fbq(‘init’, ‘2380037088679055’);
fbq(‘track’, ‘PageView’);