Ethereum’s Pectra upgrade on Sepolia faces disruptions, unknown attacker mines empty blocks

Ethereum’s highly anticipated Pectra upgrade encountered disruptions on the Sepolia testnet following an exploit that led to empty block mining. The upgrade, which was deployed on March 5, ran into issues a few hours later when developers noticed error messages on their geth node.

According to a detailed report from Ethereum developer Marius van der Wijden, the team discovered an unexpected behavior in the deposit contract that occurred on the testnet at around 7:30 UTC last Wednesday. Instead of triggering the expected deposit event, the contract emitted an incorrect transfer event.

“Shortly after the hard fork was activated, we told Jim McDonald to send a deposit to test the execution-triggered withdrawal functionality added in Pectra. We then saw error messages on our geth node and started seeing a lot of empty blocks being mined,” van der Wijden explained.

The error message reportedly read, “unable to parse deposit data: deposit wrong length: want 576, have 32.” This meant an unexpected deposit contract token-gated ERC-20 transfer was executed, disrupting the chain’s expected behavior. 

Unknown attacker exploits a missed edge case

Wijden said that developers moved quickly to deploy a fix, but an overlooked edge case allowed an unknown attacker to take advantage of the system. The exploiter sent a zero-token transfer to the deposit address and managed to trigger the same error again, leading to continued empty block mining.

“We checked the deposit contract and verified that no one could trigger the deposit functionality (because it is token gated and we only gave out tokens to trusted parties for Sepolia). We missed one edge case in the ERC20 spec, though,” the developer remarked.

Initially, developers had suspected the mistake came from a trusted validator, but later realized the transaction originated from a new account funded through a faucet. Ethereum’s team then moved to coordinate the fix rollout without splitting the chain. 

Wijden said that a hasty release could have caused network fragmentation because nodes that weren’t updated would not have been able to connect to the fixed chain. After averting the crisis, they planned a joint rollout for 14:00 UTC, which gave the teams time to get ready.

Developers found the flaw after additional investigation: the ERC-20 standard does not ban transfers of zero tokens. It means that anyone, no matter how many tokens they had, could send a move of zero tokens. This is what caused the deposit event.

Three and a half hours before the coordinated fix, as the developer described, Sepolia had supposedly produced “a lot of” empty blocks. To restore normal operations in the meantime, developers removed the transactions triggering the exploit by replacing them with higher-paying ones. 

Developers deployed a private fix to contain the attack

Ethereum’s team implemented a private fix that filtered out transactions interacting with the deposit contract. Given suspicions that the attacker was monitoring developer chats, they decided against publicizing the fix immediately. 

“The fix is only filtering out transactions that directly call the deposit contract. If we publicized the fix, the attacker would’ve been able to circumvent our mitigation by calling the contract from another contract. These internal calls would still trigger the event, but they wouldn’t be easy to filter out during block creation,” Wijden reported.

Once roughly 10% of the network’s nodes were updated, full blocks began appearing again. This allowed the chain to function while the full patch was prepared for deployment.

At 14:00 UTC, all nodes updated to the new release containing the final fix. A few blocks later, the attacker’s transaction was successfully mined, confirming that all node operators had implemented the patch. The incident did not affect Ethereum’s mainnet, as the issue was specific to Sepolia’s token-gated deposit contract.

It did affect all nodes, since it was a clash between the specification and the implementation of the deposit contract on Sepolia

— MariusVanDerWijden (@vdWijden) March 9, 2025

When asked by an X social media user if the “attacker had anything to win” by exploiting the testnet issue, Wijden answered, “No, they didn’t have anything to gain from it.”

Ethereum price struggles continue: Market activity is weaker

Ethereum is still showing signs of weakness, shedding over 10% of its value in the last week. The second-largest coin by market cap has been hovering around the $2,000 mark, a three-month low support level that market watchers predict will drop even lower.

According to market technical indicators, ETH is in a continued downtrend, with lower highs and lows forming alongside bearish moving averages. If Ethereum fails to hold $2,000, analysts warn that the next major support levels lie between $1,800 and $1,700. 

Although the Relative Strength Index (RSI) at 30.45 suggests a potential short-term bounce, resistance at $2,200 is a level the coin has failed to breach for over 24 hours.

Cryptopolitan Academy: Want to grow your money in 2025? Learn how to do it with DeFi in our upcoming webclass. Save Your Spot