Ethereum Pectra Upgrade on Sepolia Testnet Faces Setback Due to Exploit

Ethereum Pectra Upgrade on Sepolia Testnet Faces Setback Due to Exploit

The recent Pectra upgrade on Ethereum’s Sepolia testnet, launched on March 5 at 7:29 AM, encountered unexpected errors, which were exacerbated when an attacker exploited an edge case, leading to the mining of empty blocks, according to Ethereum developer Marius van der Wijden.

In a March 8 update, van der Wijden explained that error messages appeared immediately after the rollout, and empty blocks started being mined. The root cause was traced to a deposit contract event misfire, where a transfer event was mistakenly triggered instead of a deposit event.

Although developers quickly deployed a fix, they overlooked one critical edge case. An unknown user exploited this vulnerability by sending a zero-token transfer to the deposit address, triggering the error once again.

“After a few minutes, we saw a lot of empty blocks again. We re-examined the transaction pools and identified another problematic transaction triggering the same issue,” van der Wijden stated.
“At first, we thought it was a mistake from one of the trusted validators. However, we soon discovered that the transaction originated from a newly created account, recently funded by the faucet.”

Exploiting Ethereum’s ERC-20 Loophole

The ERC-20 standard does not prohibit zero-token transfers, meaning anyone—even those without any actual tokens—can execute such transfers. The attacker leveraged this loophole to continuously trigger the issue.

To mitigate the attack, developers implemented a private fix, filtering out all transactions interacting with the deposit contract.

“We suspected the attacker was monitoring our discussions, so we decided against publicly announcing the fix,” van der Wijden noted.
“Instead, we updated only a few DevOps-controlled nodes to restore normal block production.”

By 2 PM, all nodes had been updated, allowing the attacker’s transaction to be successfully mined, effectively resolving the issue. Van der Wijden confirmed that Ethereum’s finalization process remained unaffected throughout the incident.

Pectra Upgrade Delayed for Further Testing

The issue remained isolated to Sepolia, as developers were using a token-gated deposit contract instead of Ethereum’s mainnet deposit contract. A similar incident occurred on Feb. 26 during the Holesky testnet upgrade, prompting Ethereum developers to delay Pectra’s mainnet launch until further testing is completed.

The Pectra upgrade follows Ethereum’s Dencun hard fork, which was successfully implemented on March 13, 2024. The Dencun upgrade significantly reduced transaction fees for layer-2 networks and improved Ethereum rollup economics.

Meanwhile, the Ethereum Foundation has undergone a leadership transition, appointing Hsiao-Wei Wang and Tomasz Stańczak as its new co-directors to oversee the network’s ongoing development.