Litecoin Suffers Denial-of-Service Attack, Successfully Reverses 13 Blocks

Late Friday and Saturday, a series of events unfolded on the Litecoin network, beginning with a denial-of-service attack that targeted major mining pools, exploiting a vulnerability in the Mimblewimble Extension Block (MWEB) protocol. This allowed for invalid transactions to be processed by nodes that had not yet updated. However, the network's longest valid chain eventually corrected these transactions through a 13-block reorganization, effectively rewinding 32 minutes of network activity. The Litecoin Core v0.21.5.4 release, which includes important security updates, has been made available, with all users advised to upgrade. According to the Litecoin Foundation, the bug was fully patched and the network returned to normal operation by Sunday morning. Nevertheless, security researchers have pointed out discrepancies in the timeline of events, as indicated by the litecoin-project GitHub repository, suggesting that the consensus vulnerability was known and privately patched between March 19 and 26, roughly four weeks before the attack. This raises questions about the handling of the vulnerability and the window of opportunity it provided for attackers. A separate denial-of-service vulnerability was patched on April 25, with both fixes incorporated into the release 0.21.5.4 after the attack had commenced. The incident highlights the challenges faced by older proof-of-work networks like Litecoin, where independent mining pools have the discretion to choose when to upgrade, potentially creating vulnerabilities in the absence of a coordinated response to security patches.