Ethereum Testnet Sepolia Suffers Glitch, Team Deploys Fix

• A bug in the Sepolia testnet led to blocks being mined without transactions.
• An attacker exploited an overlooked ERC-20 edge case to worsen the issue.
• A coordinated fix restored normal block production.

The Pectra upgrade for Ethereum’s Sepolia testnet launched on March 5 at 7:30 UTC. Shortly after activation, developers noticed issues. Jim McDonald was asked to test the new withdrawal feature. However, as soon as the deposit transaction was sent, errors appeared on the network.

Logs indicated an error in the deposit contract. Instead of the expected event, an ERC-20 transfer event was emitted. The EIP-6110 logic required the treatment of logs in the deposit contract in the same way. This led to clients rejecting affected blocks, which caused the creation of endless empty blocks.

The developers saw the issue and devised a solution. The update would ignore invalid logs by the deposit contract. It needed coordinated deployment. Uncoordinated deployment of the update would split the network. Teams decided at 10:30 UTC to deploy the patch at 14:00 UTC. This gave time for preparation.

ERC-20 Exploit Triggers Empty Blocks Again

Sepolia continued producing empty blocks for three hours. Developers replaced the triggering transactions in order to reduce the disruption. The short-term patch restored block production. The network seemed to be in order when a new wave of empty blocks suddenly appeared. A new account exploited an underlooked ERC-20 rule. The ERC-20 standard accommodates zero-token transfers, which still trigger events. The attacker used the flaw to produce the same issue again.

At first, developers suspected a reliable validator made a mistake. But later investigation revealed that a newly funded account created the transaction. The attacker discovered the overlooked ERC-20 behavior and used it to disrupt Sepolia.

In an attempt to halt the disruptions, developers issued a private patch. The patch did not include transactions with the deposit contract. They suspected the attacker was tapping into their communications. In an attempt to avoid interference, the update was made private.

Private Fix Restores Sepolia Stability

About 10% of the network nodes applied the patch, bringing full blocks back online. This allowed users to start using Sepolia again in preparation for the final update. All the nodes upgraded to the new release with the full patch at 14:00 UTC.

A few blocks afterwards, the attacker’s transaction processed, which confirmed the success of the update for the entirety of the nodes. The issue was limited to Sepolia due to its token-gated deposit contract. The Ethereum mainnet lacks this mechanism, so the flaw does not exist there. The Ethereum team resolved the issue efficiently. Their quick response preserved the network’s stability. This episode’s experience will improve future testnet and mainnet upgrades.

Related Reading: Bitcoin Sell-Off Alert: Big Investors Are Preparing for a Crash