Litecoin Recovers from Denial-of-Service Attack by Rewriting 13 Blocks

Late Friday and Saturday, the Litecoin network experienced a significant disruption due to a denial-of-service attack, which exploited a vulnerability in its Mimblewimble Extension Block protocol, allowing the processing of invalid transactions. The attack was mitigated through a 13-block chain reorganization, effectively reversing the impact of the exploit. The Litecoin Core v0.21.5.4 update has been released, incorporating crucial security patches, and users are advised to upgrade. Notably, the vulnerability had been privately patched between March 19 and 26, roughly four weeks prior to the attack. However, the patch had not been publicly disclosed or mandated for all mining pools, creating a window of vulnerability. Prominent researchers have raised concerns regarding the timeline of events, suggesting that the attack may not have been a traditional zero-day exploit, as the vulnerability was known and patched, albeit not publicly disclosed, prior to the attack. The incident highlights the challenges faced by older proof-of-work networks like Litecoin, where independent mining pools have discretion over when to upgrade, potentially creating windows of vulnerability.