Litecoin's 13-Block Reorganization: A Zero-Day Exploit or a Known Vulnerability?

A recent 13-block chain reorganization on the Litecoin network has sparked controversy, with the foundation initially describing it as a zero-day exploit. However, an examination of the litecoin-project GitHub repository suggests that the vulnerability was actually patched between March 19 and 26, more than four weeks prior to the attack. The reorganization, which occurred on Friday and Saturday, rewound approximately 32 minutes of network activity after attackers exploited a vulnerability in the Mimblewimble Extension Block (MWEB) protocol. The bug enabled a denial-of-service attack against major mining pools, allowing invalid MWEB transactions to slip through nodes that had not been updated. The Litecoin Core v0.21.5.4 release, which contains important security updates, was subsequently made available, and all users were advised to upgrade. Prominent researchers have pointed out that the GitHub commit log tells a different story, with the consensus vulnerability being privately patched before the attack. The timeline of events has raised concerns about the potential for similar exploits in the future, highlighting the challenges faced by older proof-of-work networks like Litecoin in responding to security vulnerabilities.