Litecoin Network Recovers from Denial-of-Service Attack and 13-Block Chain Reorganization

On Friday and Saturday, a series of events unfolded as a 13-block chain reorganization occurred on the Litecoin network, effectively rewinding 32 minutes of network activity. This reorganization was a response to a denial-of-service attack that exploited a vulnerability in the Mimblewimble Extension Block (MWEB) protocol, allowing invalid transactions to be processed by nodes that had not been updated. The bug was privately patched between March 19 and 26, but the fix was not publicly disclosed or mandated for all mining pools, creating a window of vulnerability. A prominent security researcher, bbsz, highlighted the patch timeline from the public commit log on the litecoin-project GitHub repository, indicating that the consensus vulnerability was known and patched a month before the exploit. However, the fix was not broadcast publicly, and some miners continued to run the vulnerable version, while others ran the patched code. The attackers appeared to have knowledge of which miners were running the patched code and which were not. The denial-of-service attack was designed to take the patched mining nodes offline, allowing the unpatched nodes to form a chain that included the invalid transactions. The network automatically handled the 13-block reorganization once the denial-of-service attack stopped, suggesting that enough hashrate was running updated code to eventually overpower the attack. The incident highlights the differences in how code maintainers and developers react to exploits on various networks, with newer chains being able to coordinate upgrades quickly, while older proof-of-work networks like Litecoin rely on independent mining pools choosing when to upgrade, creating a window of vulnerability.