Ethereum Under Siege: Network DoS Attack Sparks Emergency Gas Cost Overhaul

The Ethereum network finds itself in the crosshairs of a sophisticated denial-of-service attack that has slowed block confirmations to a crawl and forced developers into emergency action. The attack, which exploits a vulnerability in the EXTCODESIZE opcode, has been calling the operation roughly 50,000 times per block, overwhelming miners with disk read operations and causing confirmation times to spike by as much as 300%.

TL;DR

• A computational DoS attack targeting the EXTCODESIZE opcode has severely slowed the Ethereum network
• Attack transactions call the underpriced opcode approximately 50,000 times per block
• Block confirmation times have increased by 300%, though no consensus failure has occurred
• Vitalik Buterin has proposed EIP-150, dramatically increasing gas costs for IO-heavy operations
• ETH price at $12.88 has shown resilience after an initial dip suspected to be coordinated with the attack

The Attack Vector: EXTCODESIZE Exploitation

On September 22, Ethereum Foundation developer Jeffrey Wilcke posted an urgent alert confirming that the network was under active computational DDoS attack. The attacker exploited the EXTCODESIZE opcode, a low-cost operation that requires nodes to read state information from disk. While the gas price for this operation was set low — at just 20 gas — the actual computational cost of disk reads made it an ideal vector for degradation.

The attack works by flooding the network with transactions that call EXTCODESIZE repeatedly within each block. Since each call forces a disk read operation, miners and full nodes are forced to spend substantial time processing what appears to be legitimate — and properly paid for — transactions. The result has been a dramatic slowdown across the entire network.

Crucially, the attack does not cause consensus failures or memory overloads. The network continues to process blocks, but at a significantly reduced pace. This makes it a particularly insidious form of attack — one that degrades performance without breaking the system outright.

Immediate Mitigation Efforts

The Ethereum development team responded swiftly with several stopgap measures. Miners were urged to switch to the Parity client with specific configuration settings optimized for handling the attack traffic. For those continuing to use the standard Geth client, developers recommended increasing the cache allocation to 1024 MB and adjusting the gas floor target and minimum gas price to filter out low-value spam transactions.

“The price of Ethereum was sold down just a day before the attack had been launched. Prices have since then recovered from lows. It is possible that this was a calculated sell off, and with the simple fix to the mining software Ethereum should be back to normal operational status,” noted Daniel Dabek, founder of Safe Exchange, an altcoin trading community.

EIP-150: The Structural Fix

The most significant response came on September 24, when Vitalik Buterin published EIP-150, titled “Gas cost changes for IO-heavy operations.” This proposal represents a fundamental rethinking of Ethereum’s gas pricing model for operations that interact with the blockchain’s state trie.

The changes are dramatic. EXTCODESIZE gas cost jumps from 20 to 700 — a 3,400% increase. BALANCE operations move from 20 to 400 gas. SLOAD, the storage read operation, increases from 50 to 200. The cost of CALL, DELEGATECALL, and CALLCODE rises from 40 to 700. Perhaps most strikingly, SELFDESTRUCT goes from being free (0 gas) to costing 5,000 gas, with an additional 25,000 gas penalty if targeting a newly created account.

Buterin’s rationale is grounded in the recognition that opcodes reading from the state tree have been systematically underpriced. The new costs are derived from an updated calculation table that targets a limit of 8 MB of data reads per block, accounting for Merkle proof overhead and worst-case code sizes of approximately 17-21 KB.

The Tangerine Whistle Hard Fork

EIP-150 is designated as part of the “Tangerine Whistle” upgrade, scheduled to activate at block 2,463,000 on the Ethereum mainnet. Beyond simple gas cost adjustments, the proposal also introduces sophisticated gas mechanics from EIP-90 and EIP-114. The new “all but one 64th” gas rule prevents out-of-gas errors when contracts make calls, replacing the rigid call stack depth limit of 1,024 with a softer gas-based restriction that effectively limits depth to approximately 340 levels.

This change eliminates an entire class of call stack depth attacks that smart contract developers previously had to guard against. By making the cost of deep recursion prohibitively expensive, the network gains resilience against future quadratic-complexity DoS vectors.

The Ethereum community has generally welcomed the rapid response, though some have raised concerns about the impact on existing smart contracts. Contracts that make external calls using hardcoded gas calculations like msg.gas - 40 will need attention, though the EIP-90 mechanics are specifically designed to maintain backward compatibility.

Why This Matters

The EXTCODESIZE attack and the resulting EIP-150 response represent a defining stress test for the young Ethereum network. Coming just months after the DAO hack and the resulting hard fork, this incident demonstrates both the vulnerability of immature blockchain systems to novel attack vectors and the ability of development teams to respond with structural, protocol-level solutions rather than mere patches. The Tangerine Whistle upgrade establishes a precedent for emergency governance action that will shape Ethereum’s approach to network security for years to come. At press time, ETH trades at $12.88 with a market capitalization of approximately $1.09 billion, while Bitcoin holds steady at $602.63.

Disclaimer: This article is for informational purposes only and does not constitute financial advice. Cryptocurrency markets are highly volatile. Always conduct your own research before making investment decisions.