Ethereum Developers Address Network Vulnerabilities During Pectra Upgrade on Sepolia Testnet

In a recent post-incident report, Ethereum developer Marius van der Wijden disclosed that an unknown attacker exploited a critical oversight during the Pectra upgrade on the Sepolia testnet, prompting Ethereum developers to deploy a “private fix.” This fix came after the network faced technical difficulties, causing disruption during the testnet rollout.

What Happened?

The Pectra upgrade, which aimed to enhance Ethereum’s staking capabilities and scalability, went live on the Sepolia testnet on March 5. However, issues surfaced almost immediately as developers began to see error messages on their geth nodes, accompanied by an increase in empty blocks being mined on the network.

Van der Wijden explained that the root cause of the problem lay in an unexpected event emitted by the deposit contract. Instead of generating the required deposit event, the contract emitted a transfer event. This caused geth nodes to reject transactions, resulting in the mining of empty blocks and a network standstill.

The issue was tied to Ethereum Improvement Proposal (EIP) 6110, which aimed to standardize the processing of logs from the deposit contract. However, the fix rolled out by the geth team, which was designed to “ignore erroneous logs” from the deposit contract, overlooked a critical edge case in the ERC-20 token standard.

The Exploit: Zero-Token Transfers

The overlooked edge case stemmed from the ERC-20 standard, which does not prohibit zero-token transfers. This allowed any entity—regardless of ownership of tokens—to send zero-token transfers to any address, emitting a transfer event. An attacker took advantage of this loophole by repeatedly sending zero-token transfers to the deposit contract. Each time, the deposit contract emitted an erroneous event, triggering the same error and causing the network to continue mining empty blocks.

Initially, developers suspected that a trusted validator had made a mistake. However, further investigation revealed that the issue was traced to a new account funded by a public faucet, rather than a validator’s error.

The Response and the “Private Fix”

To stop the attack, developers needed to filter out transactions interacting with the deposit contract. However, they were concerned that the attacker might be monitoring public discussions regarding the issue. As a result, the team decided to implement a “private fix,” which was rolled out to select DevOps nodes controlling about 10% of the network.

Once the fix was deployed, nodes resumed producing full blocks, restoring the network’s functionality by 14:00 UTC. A few blocks later, the attacker’s malicious transaction was successfully mined, confirming that all node operators had updated their software.

Despite these disruptions, Ethereum’s testnet network never lost finalization, and the issue was contained to the Sepolia testnet. This was due to the fact that the Sepolia deposit contract was token-gated, differentiating it from the Ethereum mainnet’s deposit contract.

Impact and Future Plans

The technical issues on Sepolia, while significant, were ultimately isolated and did not affect the broader Ethereum network. Nevertheless, the disruptions led developers to delay the Pectra upgrade’s mainnet deployment. Further testing and debugging are needed to ensure that the upgrade can be implemented smoothly on Ethereum’s primary network.

What is the Pectra Upgrade?

The Pectra fork is a significant upgrade aimed at enhancing Ethereum’s staking process, improving layer 2 scalability, and expanding the network’s overall capacity. The upgrade incorporates 11 Ethereum Improvement Proposals (EIPs) and is the first major update since the Dencun upgrade, which went live in March 2024.

Developers had planned to deploy the Pectra upgrade on the mainnet by April 8, contingent on the successful implementation of the upgrade on both the Holesky and Sepolia testnets. However, the issues experienced during the Sepolia rollout, combined with similar challenges on the Holesky testnet in late February, have prompted the Ethereum development team to pause and reassess the upgrade’s deployment.

The Ethereum network faced a significant vulnerability during the Pectra upgrade on the Sepolia testnet, where an attacker exploited a flaw in the ERC-20 token standard to repeatedly send zero-token transfers to the deposit contract. This triggered errors that caused empty blocks to be mined, disrupting the network. Ethereum developers responded swiftly by implementing a “private fix,” which resolved the issue and restored normal network operations.

Despite the incident, Ethereum never lost finalization, and the problem was limited to Sepolia. Developers have now decided to delay the mainnet deployment of the Pectra upgrade for further testing and debugging, with plans to proceed only once the upgrade proves stable across all testnets.

The Pectra upgrade promises to enhance Ethereum’s staking, scalability, and capacity, but it is clear that more work remains to ensure its successful deployment on the Ethereum mainnet.