In September and October 2016, both Ethereum and Ethereum Classic experienced coordinated denial-of-service attacks that exploited underpriced EVM opcodes. The response shaped both networks' approach to gas pricing.
The 2016 Attacks
Transaction Spam (September 2016)
Attackers discovered that certain opcodes — particularly EXTCODESIZE and BALANCE — were priced far below their actual computational cost. By constructing transactions that called these opcodes thousands of times, attackers could force nodes to perform expensive I/O operations for minimal gas cost.
State Bloat (October 2016)
A second wave targeted state growth. The CREATE opcode was used to generate millions of empty accounts, bloating the state trie that every full node must store. At peak, the attack added over 19 million empty accounts to the state.
Impact
- Block processing times increased from seconds to minutes
- Some nodes ran out of memory and crashed
- Network throughput dropped dramatically
- Synchronizing new nodes became impractical
Protocol-Level Fixes
Both ETH and ETC implemented the same fixes, known as the "Spurious Dragon" changes on ETH and equivalent changes on ETC:
Gas Repricing (EIP-150)
Opcodes that performed I/O operations had their gas costs increased to reflect actual computational cost:
- EXTCODESIZE: 20 → 700 gas
- BALANCE: 20 → 400 gas
- SLOAD: 50 → 200 gas
- CALL variants: 40 → 700 gas
State Clearing (EIP-161)
Empty accounts (zero balance, zero nonce, no code) could be removed from the state trie, allowing nodes to clean up the millions of accounts created during the attack.
EXP Repricing (EIP-160)
The EXP opcode cost was increased from 10 + 10 per byte to 10 + 50 per byte to prevent computational DoS via exponentiation.
Lessons Learned
The 2016 attacks demonstrated that gas pricing must accurately reflect actual resource consumption. Underpriced opcodes create economic attack vectors that are difficult to mitigate without protocol changes. Both networks now conduct more thorough gas cost analysis before introducing new opcodes.