Security Council Emergency Action – 10/13/2025

At 12:23pm ET, October 13th, the Arbitrum Foundation notified the Security Council of the need to perform an emergency upgrade of the Arbitrum One and Arbitrum Nova networks. This upgrade was completed at 02:30pm ET. In the following, we have included an overview of the vulnerability, the required Security Council action, and the timeline of events.

Key point: No funds were ever at risk

A vulnerability was identified on the Arbitrum Sepolia network (block 204060366) : an external address authorised a transaction that triggered a Stylus bug.

Problem: It is a Stylus-related deviation and the issue relates to the native stack depth supported on the node and the underlying virtual stack depth of the processor.

Impact: This impacts the total gas consumed for a transaction and leads to a potential chain divergence.

Security Council Actions

The fix requires updating a configuration in ArbOS for the max wasm stack depth value.

Specifically, the following function is called:

• ArbOwner.setWasmMaxStackDepth(22000)

Arbitrum contributors prepared a transaction payload on Arbitrum One and Arbitrum Nova for the Security Council to sign.

An emergency action requires at least 9 out of 12 signatures from the following Security Council members:

• Bartek Kiepuszewski (L2Beat)
• Dennison Bertram
• Griff Green
• Michael L
• Harry Ng
• Emiliano Bonassi
• Goncalo (Immunefi)
• Yoav Weiss
• Fred
• Elad Erdheim (Certora)
• Steven Thornton (OpenZeppelin)
• John Morrow (Gauntlet)

Upgrade transactions

The Security Council signed the following transactions to update the configuration:

• Arbitrum One: Arbitrum One Transaction Hash: 0x1eac6f06c6... | Arbitrum One
• Arbitrum Nova:
  Arbitrum Nova Transaction Hash: 0x49626b4b01... | Arbitrum Nova

No external audit of the payload was required. It is a straightforward call of the ArbOwner contract and it was independently verified by Security Council members.

Actions Required

Arbitrum Sepolia

Only for ARM-Based Nitro Nodes operators on Arbitrum Sepolia, because of a deviation that occurred on Arbitrum Sepolia at block 204060366 apply the below mitigations:

Short-term solution

1. Arbitrum Sepolia node providers should shift over to running x86 in the short term.

Long-term solution

1. Sync ARM-based node from a Snapshot created by an x86 node from block 204060366, which will be released later.
2. Or upgrade ARM-based nodes to a new version of the Nitro software, which will be released later.

Arbitrum One and Nova

No action is required by Arbitrium One or Nova operators because the issue is related only to Arbitrum Sepolia.

Timeline of Events

• 12:23pm ET:

  • The Security Council was notified about the vulnerability on Signal.

• 12:45pm ET:

  • A war room was arranged and all Security Council members were notified to join.
  • 11 out of 12 members were available to join.

• 01:48pm ET:

  • Arbitrum contributors shared the transaction payloads with Security Council members.

• 02:30pm ET:

  • Upgrade transactions were executed on-chain and the potential bug was averted.

• 04:24pm ET:

  • Node operators were notified of the need to apply the above mitigations.