Litecoin Suffers Denial-of-Service Attack, Successfully Reverses 13 Blocks

On Friday and Saturday, a series of events unfolded as a 13-block chain reorganization occurred on the Litecoin network, effectively rewinding 32 minutes of network activity. This was in response to an attack that leveraged a vulnerability within the Mimblewimble Extension Block protocol, enabling a denial-of-service attack against major mining pools and allowing invalid transactions to temporarily slip through nodes that had not been updated. The Litecoin Core v0.21.5.4 release has since been made available, containing crucial security updates. According to the Litecoin Foundation, the bug has been fully patched and the network is now operating normally. However, security researchers have pointed out discrepancies in the timeline of events, suggesting that the vulnerability was known and privately patched between March 19 and 26, roughly four weeks before the attack took place. The consensus vulnerability was exploited to enable an invalid MWEB peg-out, while a separate denial-of-service vulnerability was patched on the morning of April 25. Both fixes were incorporated into the release 0.21.5.4 on the same afternoon, following the commencement of the attack. The fact that the vulnerability was known and patched a month prior to the exploit, yet not publicly disclosed or mandated for all mining pools, created a window of opportunity for the attackers. This incident highlights the differences in how various networks respond to exploits, with newer chains often able to coordinate upgrades more swiftly compared to older proof-of-work networks like Litecoin and Bitcoin, which rely on independent mining pools to choose when to upgrade. The full extent of the damage, including the amount of LTC pegged out during the invalid block window and the value of any swaps completed before the reorganization, has not been disclosed.