Ethereum’s Pectra upgrade on Sepolia testnet was targeted by unidentified attacker: report

An unknown attacker prompted Ethereum developers to roll out a “private fix” as the network grappled with technical issues during the Pectra upgrade on the Sepolia testnet.

In a post-incident report , Ethereum developer Marius van der Wijden revealed that the attacker exploited an overlooked “edge case,” repeatedly triggering errors by sending zero-token transfers to the deposit contract, further complicating an already troubled rollout.

What happened?

On March 5, the Pectra upgrade went live on Sepolia, but almost immediately, developers started seeing error messages popping up on their geth nodes, alongside an increase in empty blocks being mined.

According to van der Wijden, the issue stemmed from the deposit contract emitting an unexpected event—a transfer event instead of the required deposit event—which caused nodes to reject transactions and produce only empty blocks.

The bug was linked to EIP-6110, which required all logs from the deposit contract to be processed uniformly. 

The geth team rolled out a fix that would “ignore all erroneous logs coming from the deposit contract,” but developers reportedly overlooked a specific edge case in the ERC-20 standard. 

“The ERC20 standard does not forbid 0 token transfer, this allows anyone (even if they don’t own any token) to transfer 0 tokens to another address which will emit an event,” van der Wijden explained, adding that an “attacker” took advantage of this by repeatedly sending zero-token transfers to the deposit contract.

This triggered the same error and caused the network to continue mining empty blocks.

Initially, developers suspected a trusted validator had made a mistake, but upon investigation, they traced the issue to a newly funded account from a public faucet.

To stop the attack, developers needed to filter out transactions interacting with the deposit contract. However, they suspected that the attacker was monitoring their chats, which prompted them to roll out a “private fix” to select DevOps nodes controlling about 10% of the network.

Once the fix was deployed, nodes resumed producing full blocks, allowing the chain to function normally by 14:00 UTC. A few blocks later, the attacker’s transaction was successfully mined, confirming that all node operators had updated.

Despite the disruptions, Ethereum “never lost finalization”, and the issue was limited to Sepolia, as its token-gated deposit contract differed from the Ethereum mainnet deposit contract, according to van der Wijden.

Nevertheless, developers have decided to delay the Pectra upgrade for further testing and debugging.

What is Ethereum’s Pectra upgrade?

The Pectra fork is designed to enhance ETH staking, improve layer 2 scalability, and expand network capacity. It introduces 11 Ethereum Improvement Proposals (EIPs) and marks the first major upgrade since Dencun , which went live in March 2024.

As previously reported by crypto.news, developers planned to deploy Pectra on the mainnet by April 8, provided that both the Holesky and Sepolia testnets successfully completed their upgrades.

The upgrade was first implemented on the Holesky testnet on February 24, where it also ran into technical issues that prevented finalization.