Litecoin Network Faces Denial-of-Service Attack, Successfully Reverses 13 Blocks

On Friday and Saturday, a series of events led to a 13-block chain reorganization on the Litecoin network, effectively rewinding 32 minutes of network activity. This was in response to a denial-of-service attack that targeted major mining pools, exploiting a vulnerability in the Mimblewimble Extension Block (MWEB) protocol. The attack allowed invalid MWEB transactions to bypass nodes that had not been updated, before the network's longest valid chain corrected them. Following the incident, Litecoin Core v0.21.5.4 was released, containing crucial security updates. According to the Litecoin Foundation, the bug has been fully patched and the network is now operating normally. However, security researchers have pointed out that the timeline of events, as shown on the litecoin-project GitHub repository, indicates that the consensus vulnerability was known and patched privately between March 19 and 26, roughly four weeks before the attack. This has raised concerns about the window of vulnerability that existed between the private patch and the public release of the fix. The incident highlights the differences in how various networks respond to exploits, with newer chains often being able to coordinate upgrades quickly, while older proof-of-work networks like Litecoin rely on independent mining pools to choose when to upgrade, creating potential windows of vulnerability.