- The Pectra upgrade on the Sepolia testnet faced unexpected issues, leading to empty block production.
- Developers identified an attacker exploiting an overlooked ERC-20 edge case, prompting a coordinated fix.
Ethereum’s Pectra upgrade on the Sepolia testnet ran into unexpected issues. Developers experienced bugs in their geth nodes, alongside mined empty blocks, the moment it was deployed at 7:29 AM UTC on March 5.
The problem was caused by an unexpected interaction with the deposit agreement, which caused unintended log events. This led to invalid blocks, which inhibited the correct processing of the transactions.
The Ethereum team quickly identified the root cause. The deposit contract, which processes staking deposits, mistakenly emitted an ERC-20 transfer event instead of the expected deposit event.
I wrote up the story of the Pectra incident on Sepolia, its an interesting story about edge cases, coordination and an attacker who swooped in and made our lives much harder!
Check it out (4min read): https://t.co/0ezGnm0Z8j
— MariusVanDerWijden (@vdWijden) March 9, 2025
Since the network’s logic required all deposit contract logs to be handled in the same way, this discrepancy led to block production errors.
The developers saw that each block with a transaction associated with the contract was being rejected, leaving only empty blocks. A patch was proposed to ignore invalid logs, though the developers faced a big problem: rolling it out in a way that wouldn’t split the chain.
However, they scheduled the update for 14:00 UTC, giving teams time to prepare. Meanwhile, to minimize disruption, they replaced problematic transactions with higher-paying ones, ensuring blocks could still be produced.
Zero-Token Transfers Enable New Exploit, Bypassing Fix
As the team believed the issue was fixed, empty blocks reappeared. Upon investigation, there was a new transaction exploiting the same flaw. The team suspected an internal mistake at first, only to discover later an external party found the flaw.
The attacker exploited a lesser-known aspect of the ERC-20 standard: zero-token transfers. The method allowed anyone, including non-token owners, to trigger transfer events, bypassing the original countermeasure.
In response to this new threat, the developers reacted quickly. They deployed a private patch blocking the transactions that were in direct contact with the deposit contract.
They deployed it quietly to a limited number of DevOps nodes in an attempt to maintain the chain live while working towards a bigger resolution.
The attacker’s plan suggested having developer forum access, which made things more complex. The attacker could have been able to alter their strategy by executing the transactions through intermediary contracts in the event the patch became public.
This forced developers to handle the response discreetly while ensuring enough full blocks were produced.
Ethereum Dev Plan Deeper Reviews Before Mainnet Rollout
At UTC 14:00, the Sepolia nodes synchronized with the official patch, resuming normal block production. The attacker’s transaction was mined later, which confirmed the node synchronization. The network did not lose finality throughout the disturbance, and the mainnet remained untouched.
The developers saw the issue was caused by the Sepolia deposit contract being token-gated, unlike the mainnet variant. The design created an unexpected interaction with ERC-20 token transfers, which caused the vulnerability.
The attack revealed a fundamental flaw in the ERC-20 standard—zero-token transfers still emit events, which can be exploited in some cases.
In light of such risks, the developers plan to conduct a deeper review of smart contract interactions before deploying Pectra to the Ethereum mainnet.
Additional simulation and trial runs in the testnet will ensure that edge cases are addressed. The team will fine-tune Ethereum’s update process to prevent such disruptions in future releases.