This is a joint post from Nomadic Labs, TriliTech, and Functori.
While performing an internal audit of an upcoming Etherlink kernel upgrade proposal, we discovered 4 live vulnerabilities also affecting Etherlink Mainnet. Two are critical vulnerabilities which, if exploited, could challenge Etherlink’s liveness.
No user funds or assets are currently at risk. We have found no evidence of these vulnerabilities being exploited (nor any exploit being attempted).
Still, we have prepared a bugfix kernel upgrade addressing these issues swiftly, which has already been submitted to Etherlink’s Fast governance mechanism.
Should the governance process be successful, the kernel upgrade will activate on Etherlink mainnet on 25 March 2026.
CTA: Tezos bakers! Please upvote Etherlink 6.2
We need your support to ensure these fixes are swiftly deployed. The kernel upgrade proposal (`00932181ea0b3446ec1d509c33680a473f133bd1aa92d144d2011fe9fd1e2787f`) has already been injected in the current proposal period.
The complete timeline is:
-
Proposal period vote: fast governance period 1026, spanning between L1 levels #12,461,089 (March 23 12:26 UTC) and #12,464,688 (March 23 18:26 UTC).
-
Promotion period vote: fast governance period 1027], spanning between L1 levels #12,464,689 (March 23 18:26 UTC) and #12,468,288 (March 24 00:26 UTC).
Remember that Etherlink fast governance periods last ~8 hours, which means you would need to vote two times within 16 hours.
We provide further voting instructions below. Don’t hesitate to reach out if you need our help to make sure you can cast your votes in time.
Vulnerabilities Recap
The Etherlink 6.2 kernel upgrade proposal addresses the following vulnerabilities:
- A live vulnerability on the FA token bridge Etherlink precompile which affects only EOA (Externally Owned Account) addresses. There are currently no user assets at risk, as ERC-20 tokens are not affected and this is not a typical pattern.
- A plausible DOS attack to the Etherlink kernel execution (Critical).
- A plausible DOS attack to the native Etherlink bridge (Critical).
- A DA Fee Undercharge on EIP-7702 Authorization List Bytes.
At the moment, we have no evidence of any attempts to exploit these vulnerabilities. We will continue monitoring Etherlink’s infrastructure throughout the governance process.
Given the critical nature of some of these issues, we will publish a full post-mortem report once the new kernel upgrade is fully deployed.
Thank you for your continued support for Etherlink.
We’d like to also thank the security researchers that independently submitted details of these vulnerabilities during the testing phase. A bug bounty scheme is in operation for undiscovered security issues affecting Etherlink.
