# What Happens If We Finalize an Invalid Block? ## Context Ethereum's Casper FFG finality mechanism is designed so that once a block is finalized, it becomes irreversible — at least without burning at least 1/3 of the total staked ETH. But what if the block that gets finalized is *invalid*? This is not merely a theoretical curiosity. It sits at the intersection of consensus safety, execution correctness, and social coordination, and the answer is far less clean than "the chain just rolls back." This runbook explores the scenario end-to-end: how it could happen, what the immediate consequences are, what options the community has, and what the trade-offs of each response look like. --- ## How Could This Happen? An invalid block reaching finalization requires a cascading failure across multiple layers of defense. No single bug is enough — it takes a combination. **Possible contributing factors:** - **Consensus client bug** — A majority of validators run a client with a bug that causes them to attest to a block without properly verifying its execution payload. If >2/3 of stake is on the affected client, that block can be justified and then finalized within two epochs (~13 minutes). - **Execution client bug** — The execution layer accepts a state transition that violates the rules (e.g., minting ETH out of thin air, incorrect gas accounting, invalid signature acceptance). If validators rely on a single dominant EL client, they all agree the block is valid when it is not. - **Client diversity failure** — This is the amplifier. If 67%+ of validators run the same CL/EL combination, a single bug in that combination is sufficient to finalize an invalid block. Client diversity is not just a nice-to-have — it is the primary defense against this scenario. - **Supermajority attestation before detection** — The bug would need to go undetected (or detected but too late) during the ~6.4 minutes it takes for a block to move from proposed to justified, and then another epoch for justification to become finalization. It is worth emphasizing: **this has never happened on Ethereum mainnet.** But it has been discussed extensively because the consequences are severe and the countermeasures involve hard trade-offs. --- ## Immediate Consequences The moment an invalid finalized block is detected, several things happen simultaneously: 1. **Minority clients reject the chain.** Clients not affected by the bug will see the finalized block as invalid and refuse to follow it. The network splits. 2. **The "canonical" chain (by finality) contains invalid state.** Any transactions, DeFi positions, bridge messages, or L2 commitments that reference post-invalid-block state are on shaky ground. 3. **Exchanges, L2s, and bridges face a dilemma.** They have likely already treated the finalized block as irreversible. Deposits may have been credited, withdrawals processed, L2 batches posted. 4. **Validator economics break.** Validators on the buggy majority client are attesting to an invalid chain. Validators on minority clients are "correct" but appear to be offline or forking from the majority's perspective. --- ## The Decision Tree Once the community recognizes that an invalid block has been finalized, there are broadly three paths forward. None of them are painless. ``` Invalid block is finalized | v ┌────────────────────────┐ │ Community detects │ │ the invalid block │ └────────────┬───────────┘ | ┌─────────────┼──────────────┐ v v v ┌──────────┐ ┌─────────────┐ ┌──────────────┐ │ Option A │ │ Option B │ │ Option C │ │ Social │ │ Accept & │ │ Inactivity │ │ fork │ │ move on │ │ leak fork │ └────┬─────┘ └──────┬──────┘ └──────┬───────┘ | | | v v v Roll back to Acknowledge Minority chain last valid the invalid bleeds majority finalized block state as canon via leak, then via coordinated and patch the finalizes its hard fork bug going fwd own valid chain ``` --- ## Option A: Social Layer Fork (Roll Back) The community coordinates a hard fork that reverts the chain to the last valid finalized checkpoint and builds forward from there, excluding the invalid block. ### How it works - Core developers identify the last valid finalized block before the invalid one. - A new client release is shipped that treats that block as the fork point. - Validators, node operators, exchanges, and infrastructure providers upgrade. - The invalid chain (and everything built on it) is abandoned. ### Pros | Aspect | Detail | |---|---| | **Preserves correctness** | The canonical chain only contains valid state transitions. The protocol's rules are upheld. | | **Punishes the bug, not the users** | Validators who attested to the invalid block on the buggy client can be slashed or penalized on the new fork (their attestations conflict with the new canonical chain). | | **Precedent exists** | Ethereum has done this before (the DAO fork in 2016), though the context was very different. | | **Restores trust in finality's meaning** | Finality means "valid and irreversible," not just "irreversible." | ### Cons | Aspect | Detail | |---|---| | **Breaks the finality guarantee** | The entire point of Casper FFG is that finalized blocks are irreversible. A social fork explicitly overrides this. Every future user of Ethereum must now account for the possibility that finality can be socially reversed. | | **Coordination nightmare** | Getting the entire ecosystem (exchanges, L2 rollups, bridges, oracles, RPC providers, wallets) to agree and switch in a timely manner is extraordinarily difficult. | | **Transaction reversal** | Every transaction after the invalid block is undone. Legitimate users lose trades, payments, and positions. DeFi protocols may end up in inconsistent states. | | **L2 and bridge fallout** | L2s that posted batches referencing the now-abandoned chain have to unwind. Cross-chain bridges that processed messages based on the finalized block may have already released funds on the other side — those funds are now unrecoverable from the bridge's perspective. | | **Time pressure** | The longer the invalid chain runs, the more economic activity accumulates on it, and the more painful the rollback becomes. | ### Affected parties - **All users with post-fork transactions** — their transactions are reversed. - **L2 rollups** — must reconcile or resubmit batches. - **Bridges** — may face insolvency if cross-chain messages were already acted upon. - **Exchanges** — deposits credited after the invalid block must be reversed or eaten as a loss. - **Validators on the buggy client** — face slashing on the new fork. - **Validators on the correct minority client** — vindicated, but may have suffered inactivity penalties in the interim. --- ## Option B: Accept the Invalid State and Move On The community acknowledges that an invalid state transition occurred but decides that the cost of rolling back exceeds the cost of accepting it. The bug is patched, and the chain continues from the current head. ### How it works - The bug is identified and patched in affected clients. - The invalid state (e.g., incorrectly minted ETH, incorrect balances) is acknowledged as a known deviation. - No chain reorganisation occurs. Finality is preserved as-is. ### Pros | Aspect | Detail | |---|---| | **No disruption** | All transactions remain valid. L2s, bridges, exchanges, and users are unaffected operationally. | | **Finality guarantee upheld** | The social contract that "finalized means final" is maintained, even if the specific block was technically invalid. | | **Faster resolution** | No coordination overhead for a hard fork. The patch is simpler than a rollback. | ### Cons | Aspect | Detail | |---|---| | **Protocol rules are violated** | The canonical chain now contains a state transition that breaks Ethereum's own rules. This is a philosophical and practical problem. | | **Severity-dependent** | If the invalid block minted billions of ETH out of thin air, "just accept it" is not viable. If it was a minor gas accounting error, it might be tolerable. The acceptability of this option is entirely a function of the severity of the invalid transition. | | **Sets a dangerous precedent** | If invalid state can be accepted once, what stops it from being accepted again? This erodes confidence in the execution layer's correctness guarantees. | | **Downstream trust** | L2s, bridges, and smart contracts that assume EVM correctness may behave unexpectedly if they interact with the invalid state. | ### Affected parties - **Protocol purists and researchers** — deeply uncomfortable with canonicalizing invalid state. - **Anyone holding assets affected by the invalid transition** — e.g., if ETH was minted to a specific address, that holder has "free money" and everyone else's ETH is diluted. - **Smart contracts** — may have encoded assumptions that no longer hold. --- ## Option C: Minority Chain via Inactivity Leak The validators running correct (minority) clients refuse to follow the invalid chain. Over time, the inactivity leak mechanism drains the stake of non-participating (majority/buggy) validators on the minority fork, until the minority fork can finalize on its own. ### How it works - Minority validators continue building on the last valid block. - Because >1/3 of validators are not participating on the minority fork (they're on the invalid majority chain), the minority fork cannot finalize. - The inactivity leak activates, gradually reducing the stake of non-participating validators. - Eventually, the participating validators on the minority fork hold >2/3 of the *remaining* effective stake, and the fork finalizes. - The community then rallies around the minority fork as the canonical chain. ### Pros | Aspect | Detail | |---|---| | **Protocol-native resolution** | This is literally what the inactivity leak was designed for. No social coordination or hard fork required at the protocol level. | | **Correct chain wins** | The fork that followed the actual rules of Ethereum becomes canonical. | | **Incentive-compatible** | Validators who ran correct software are rewarded. Validators who ran buggy software lose stake. This is the intended game theory. | ### Cons | Aspect | Detail | |---|---| | **Extremely slow** | The inactivity leak takes weeks to months to drain enough stake for the minority fork to finalize. During this entire period, the network is in a degraded state with no finality on the correct chain. | | **Two competing chains** | For the duration of the leak, there are two live chains. Exchanges, L2s, bridges, and users must decide which one to follow — and many will follow the majority (invalid) chain because it has finality. | | **Massive economic damage** | The uncertainty of two competing chains, combined with weeks of no finality on the correct one, would likely cause significant market disruption. | | **Validator losses** | Even correct minority validators suffer inactivity penalties (for not finalizing), though much less than the majority validators who are leaked on the minority fork. On the majority fork, minority validators are leaked instead. | ### Affected parties - **All network participants** — prolonged uncertainty about which chain is canonical. - **Majority validators** — lose significant stake through the inactivity leak on the (eventually canonical) minority fork. - **Minority validators** — temporarily penalized but ultimately vindicated. - **The entire DeFi ecosystem** — two competing versions of state for weeks is catastrophic for composability. --- ## Comparison Matrix | Dimension | A: Social Fork | B: Accept & Patch | C: Inactivity Leak | |---|---|---|---| | **Correctness preserved** | Yes | No | Yes | | **Finality guarantee preserved** | No | Yes | Yes (eventually) | | **Time to resolution** | Days | Hours | Weeks to months | | **Coordination required** | Very high | Low | Low (protocol-level) | | **Transaction disruption** | All post-fork txs reversed | None | Depends on which chain wins | | **Precedent risk** | Social override of protocol | Invalid state accepted | None (designed mechanism) | | **Viable for severe bugs** | Yes | No | Yes | | **Viable for minor bugs** | Overkill | Yes | Overkill | --- ## Key Takeaway There is no good option — only trade-offs. The severity of the invalid state transition is the primary factor that determines which path the community is likely to take: - **Catastrophic invalidity** (e.g., unbounded ETH minting, total state corruption) — Option A (social fork) becomes unavoidable regardless of the disruption cost. - **Moderate invalidity** (e.g., incorrect balance for a small number of accounts) — Option C (inactivity leak) is the most principled path, but Option A may be preferred for speed. - **Minor invalidity** (e.g., off-by-one gas accounting) — Option B (accept and patch) is pragmatic and proportionate. In all cases, the root cause is almost certainly **insufficient client diversity**. The single most effective mitigation is ensuring no CL/EL client combination exceeds 33% of the validator set. If that invariant holds, an invalid block *cannot* be finalized — minority clients will refuse to attest, and the 2/3 supermajority threshold is never reached. --- ## Further Reading - [Ethereum Consensus Specification — Casper FFG](https://github.com/ethereum/consensus-specs) - [Vitalik Buterin — Endgame for Ethereum Client Diversity](https://vitalik.eth.limo) - [clientdiversity.org](https://clientdiversity.org) - [EIP-7251 — Max Effective Balance](https://eips.ethereum.org/EIPS/eip-7251) (relevant to validator concentration dynamics)
Last changed by  
Barnabas Busa
49

Read more

Fusaka Client Bugs post mainnet

List of known bugs - potential fixes Post mainnet release bugs: Prysm mainnet bug. Follow up posts from potuz and prysm team. Rbuilder reth dependencies were not updated for Buildernet, causing a bit of a hiccup (simulation failed: invalid excess blob gas: got 82878256, expected 83053018; parent excess blob gas: 82747184, parent blob gas used: 917504) in blob delivery for blob gas fee calculation post BPO1. Updating the reth dependencies resolved the issue. Found a bug in Nimbus SSZ DataColumnSidecar: object dynamic portion starts at invalid offset fixed in 7794 Found a bug in Nimbus for setting BPO 0 at genesis. Fixed in 7788. Found a peering bug in Nethermind - statusMessage calculation incorrect and other peers rejecting connection due to Incorrect message. Nethermind can't peer with geth or reth. Fix still pending. Found a peering bug in prysm. Caused by 16100

12/17/2025
Fusaka & BPO timelines

Network Fork Name Time UTC Epoch Start Slot Unix Timestamp Hex Timestamp Fork ID Holesky

10/31/2025
Untitled

ICC Wifi discussion points Networking equipment FortiGate 500E Aruba 6200f 24g class4 poe 4sfp+ 370w switch Aruba 6200f 48g class4 poe 4sfp+ 740w switch Aruba AP-515 Access Points Aruba 7210(RW) Wireless Controller Costs unknown - I'm hopeful that this has no extra cost, as it should be included in the uplink cost. Would be good to confirm.

7/7/2023
4844-devnet-6 specs

:::info :mega: 4844 requires a trusted setup file, Please ensure that there is a way for us to specify the file through a runtime flag such as --trusted-setup-file (or similar). If the file is baked in during compile, please ensure that the flag would indeed override the file. This is a MUST requirement for devnet 6. If your client does not support the override, we can't include it in the devnet. ::: :::info :mega: The c-kzg trusted setup file has been updated since devnet 5. Please make sure you use the correct values. This can be found here. ::: Consensus Specs @ Commit 0682b22 aka v1.4.0-alpha.3 :heavy_check_mark:

6/14/2023
Read more from Barnabas Busa
Published on HackMD