- According to Ethereum developers, the Sepolia testnet faced an attack after the Pectra deployment.
- A private fix has been deployed to prevent chat snooping from the attacker.
The Ethereum Pectra upgrade recently went live on the Sepolia testnet and encountered errors heightened by an attacker’s activities. Ethereum developers said the attack took advantage of an edge case missed in the ERC20 contract.
Sepolia Produces Empty Blocks: Why?
As we covered in our latest report, Ethereum developers successfully activated the Pectra upgrade on the Sepolia testnet on March 5. The aim is to test the upgrade features of the Pectra upgrade under simulated network conditions.
However, in a March 8 post, Ethereum developer Marius van der Wijden revealed that Sepolia encountered challenges shortly after the activation. According to the developer, the team noticed error messages on their geth node and mining of empty blocks.
The error message reads, “Unable to parse deposit data: deposit wrong length: want 576, have 32.” Ethereum developers deduced that the error resulted from a transfer event instead of a deposit.
Van der Wijden said the team quickly took action to fix the issue. To ensure a smooth rollout, the team replaced the transactions that were continuously triggering the edge case.
However, Van der Wijden noted that they missed one edge case in the ERC20 specification. An unknown user quickly took advantage of this loophole to send a 0-token transfer to the deposit address, again triggering the error.
“After a few minutes, we saw a lot of empty blocks again, so we looked again into the transaction pools and found another offending transaction that triggered the same edge cases,” says Van der Wijden.
The developer said the team initially thought someone from the trusted validators had made a mistake. However, they soon learned that this transaction came from a fresh account that the faucet had recently financed. This pointed them to the fact that someone had discovered an edge case in the ERC20 contract that they had missed.
Ethereum Developers Curtail the Sepolia Attack
Ethereum developers quickly deployed a private fix to prevent the attacker from causing further damage. Van der Wijden said they chose this fix because they suspected the attacker was reading their chats.
The developer noted that the team only updated a few nodes they controlled to get more full blocks on the network. The fix simply filtered out transactions that made direct calls to the deposit contract.
Once they updated all ef_devops nodes, they started proposing full blocks again. This allowed users to continue using the chain until they coordinated the deployment of the real fix.
By 2 pm that day, all nodes were updated to the new releases containing the actual fix, and the attacker transaction was mined successfully. Van der Wijden assured users they never lost finalization during the incident. He said the issue only happened in Sepolia because they used a token-gated deposit contract instead of the normal mainnet deposit contract.
As highlighted in our previous article, the Ethereum Pectra upgrade adds 11 new features, including scalability enhancements. Ethereum developers previously tried the Pectra upgrade on the Holesky testnet on February 26 but discovered problems. As a result, the developers have chosen to postpone the Pectra upgrade until additional testing is done.
