How One Malformed Transaction Split Cardano — Lessons for Ethereum and Solana
News

How One Malformed Transaction Split Cardano — Lessons for Ethereum and Solana

Posted on by Josh Taylor

What actually happened (and yes, someone called the FBI)

On a sleepy morning in late November, Cardano’s mainnet did something dramatic: a single malformed staking-delegation transaction woke up a dormant bug and produced two competing histories. For about 14½ hours, parts of the network happily built on a branch that accepted the bad transaction while other parts stuck to the branch that rejected it. Blocks continued to flow — so the chain didn’t die — but uniqueness of the ledger did. Wallets and exchanges saw mismatched balances, operators scrambled to decide which chain to trust, and patched node releases eventually nudged everyone back to one canonical view.

The issue traced to an old hash-deserialization bug added years ago but only triggered by new code paths in some node versions. Newer nodes treated the malformed delegation as valid; older or unpatched nodes rejected it. That disagreement over what “valid” meant is what produced the split. No coins were stolen, the network stayed live, and the split was resolved by operators upgrading to fixed node versions — but not before it got messy. The project’s co-founder reported the incident to law enforcement after a former stake-pool operator admitted broadcasting the malformed transaction; authorities are looking into whether this was reckless testing or something worse.

Why this is interesting to Eth and Solana fans (aka the architecture showdown)

There are three broad ways layer‑1 blockchains tend to fail, and this incident is a neat way to compare them:

– Monoclient-and-stop: Solana’s approach runs essentially one validator binary. When that binary trips over a nasty bug, the chain usually halts and humans coordinate a restart. That gives you strong uniqueness (no split) at the cost of liveness pauses.

– Multi-client-and-resist: Ethereum deliberately runs many independent implementations for execution and consensus. If one client botches something, the others keep the network honest — the goal is that a single buggy codebase can’t force an invalid chain across the whole system.

– Monolithic-with-version-skew: Cardano’s setup in this episode looked like one codebase with divergent versions. Version skew effectively created two “clients” that disagreed on validity, and each had enough stake weight to sustain its own chain for a while. That explains why the network didn’t freeze but instead split.

The practical lessons are tidy and a little stingy: diversified implementations reduce the chance that one weird bug rewrites reality, but concentration in popular clients still creates systemic risk. Conversely, a single‑binary design may avoid splits but accepts the risk of prolonged outages when that binary fails.

There are also operational wins to celebrate. The bug’s scope was narrow — a specific deserializer for delegation certificates — so it could be patched quickly without changing core cryptography or chain-selection rules. A pre-written recovery playbook helped, too: having a documented procedure and good incident communication meant voluntary upgrades were enough to heal the ledger instead of invoking emergency governance measures.

Finally, the episode highlights a cultural point: running experiments on mainnet is irresponsible. If you find a weird edge case, use the testnets or a bug bounty program. Rewarding safe disclosure prevents the “let’s see what happens live” crowd from turning production into a playground for boffo bugs.

Bottom line: fuzz the heck out of serialization code, practice your recovery plan on a testnet, and push for true client diversity or better upgrade discipline. Do those, and you reduce the chance of waking up to a two-headed chain — which, fun as it sounds, is a headache nobody needs.