On November 21, 2025, Cardano experienced service degradation for about 14 hours. While the incident has already been analyzed from different perspectives (see for instance here and here), the goal of this blogpost is to contextualize these events within the security guarantees provided by the Ouroboros protocol. This allows us to evaluate the theoretical guarantees offered by Ouroboros against a real-world stress scenario, and draw conclusions for future design and deployment decisions.
What happened
The service degradation was caused by a serialization bug discovered in versions 10.3.1, 10.4.1, and 10.5.1 of the node software. At the time of the incident, a supermajority of the stake in the system was delegated to stake pool operators (SPOs) running node versions affected by the bug, while a minority of SPOs were unaffected. Due to this discrepancy, and the fact that an intentionally malformed transaction was submitted to exploit the bug, the main chain split into two forks: a poisoned chain backed by the affected majority, and a second one following the spec built by the unaffected minority. A patch released shortly after the bug was discovered contained a fix to the serialization logic and SPOs were urged to upgrade. Over time, more and more SPOs adopted the patched version of the node software.
A theorist’s lense: spikes of adversarial majority
Ouroboros is a longest-chain (or Nakamoto-style) proof-of-stake (PoS) algorithm whose core security, similar to other designs, relies on the honest-majority assumption (HMA). It basically says that for a blockchain to function securely, the majority of the resources controlling it must be ‘honest,’ meaning they follow the protocol's rules as designed. In proof-of-work blockchains like Bitcoin, where the key resource is computational power (mining hash rate), the assumption requires honest participants to collectively control more than half of it. In PoS systems, the key resource is stake (the amount of ada possessed by or delegated to validators). But the spirit of the assumption remains unchanged: parties controlling a majority of the total delegated stake must act according to the protocol’s specification.
Going back to the incident, since nodes affected by the serialization bug failed to follow the specification, they could no longer support the good chain. Given that these nodes represented a supermajority of the total delegated stake at the early phases after the malicious transaction was transmitted to mainnet, a temporary HMA violation unfolded during the early hours after the attack took place.
So this must have been a bad day for Cardano’s consensus algorithm?
Ouroboros is designed for resilience, and asking for HMA to be satisfied for 100% of the protocol’s running time is unnecessary. In fact, a paper published by IOG researchers and their collaborators in 2024 and presented at the IEEE Computer Security Foundations Symposium proved that longest-chain protocols such as Bitcoin or Ouroboros can recover from temporary HMA violations. While this was suspected prior to the paper’s publication, our work was the first to give explicit guarantees on the self-healing property of these algorithms:
- How many blocks prior to the start of the attack could be eroded due to a temporary HMA violation?
- How long does the blockchain take to return to normalcy after such a violation?
Our main finding is the following: if the violation is not strong enough to interfere with the higher-level organization of the protocol (in case of Cardano, this would be the epoch structure), the protocol can automatically return to a safe state. A critical quantity in the analysis is the ‘strength’ of the violation. Roughly speaking, this is the cumulative effect over the duration of the violation on the slot-leadership distribution compared to the normal case when HMA holds. This is therefore directly related to the expected number of additional adversarial blocks compared to normal times. With this formality behind, we find that:
- Blocks located deep enough in the chain prior to the attack will stay in the chain. Deep enough is in the order of the attack strength.
- After HMA is restored, the time it takes to return to a normal state of operation is proportional to the order of the attack strength.
This hence bounds the impact of a temporary HMA violation on Cardano and -especially in light of the recent incident- must be considered a truly invaluable security property of Ouroboros. During the incident, the strength of the violation expanded over about 8 hours yielding a cumulative advantage of a few hundred blocks. The theoretical analysis asserts a return to normalcy in roughly the same order of magnitude, which is what we observed when the correct chain caught up about 14 hours after the split.
Speedy recovery
In summary, the recovery we observed followed the predicted, secure-by-design self-healing behavior of Ouroboros.
As SPOs installed the patch, the effective, honest stake supporting the correct chain began to rise steadily, while the poisoned chain containing the invalid transaction was rapidly losing stake support. The good chain eventually exceeded the length of the poisoned chain. At that point, the network's longest-chain rule automatically snapped via a chain-switch to the correct chain for all the remaining nodes, even if they remained unpatched.
Crucially, the self-healing process did not require any manual intervention to ‘checkpoint’ the good chain or ‘blacklist’ the poisoned one. Rather, it was an organic outcome of the majority of nodes gradually transitioning to the spec-respecting interpretation of the competing chains. This also meant that tools and higher-level applications that did experience issues when parsing the bad chain due to its spec incompatibility automatically healed as a result.
Is self-healing feasible for other blockchain designs?
It is worth comparing different consensus designs in terms of their self-healing capabilities. A prominent consensus design approach is iterating BFT-style algorithms. In their basic form, these protocols finalize blocks one by one by casting several voting rounds on each proposed block. Once the block receives a quorum certificate by a supermajority (eg, more than two-thirds) of votes in all necessary rounds, it is considered finalized and becomes immutable. In the course of the considered incident, a sufficient supermajority of bug-affected nodes would finalize blocks not conforming to the specification.
This is a very concerning situation, as even after a version update, the quorum certificates witnessing bad blocks would remain in the system unless explicitly disqualified in the protocol logic by either checkpointing the right branch or blacklisting the bad branch. Furthermore, this logic does not only have to be made consistently within core consensus (such as to avoid triggering slashing conditions), but moreover, these rules would have to be propagated to all related tools and higher-level applications interacting with the ledger, such as bridges and light clients. In practice, these are often third-party products and so the patching would require a well-coordinated effort across the community.
Lessons learned
One role of research is to be forward-looking, anticipating scenarios that, at the time of investigation, are plausible but might have never occurred before. A bug forked the network for several hours, an incident of a scale never seen in the Cardano ecosystem. However, the prudent, forward-looking and robust consensus design of Ouroboros was ready to handle these adverse conditions, something that also confirmed that self-healing is a valuable property of a blockchain protocol capable of seamlessly mitigating the impact of such bad events.
Peter Gazi, Christian Badertscher, Matthias Fitzi, and Sandro Coretti-Drayton also contributed to this blog.
