Litecoin Recovers from Denial-of-Service Attack by Rewriting 13 Blocks

On Friday and Saturday, a series of events unfolded as a 13-block chain reorganization occurred on the Litecoin network, effectively reversing the impact of a denial-of-service attack that had taken advantage of a vulnerability in the Mimblewimble Extension Block (MWEB) protocol. The attackers leveraged this bug to sneak invalid MWEB transactions past nodes that had not been updated. A patch for the vulnerability had been privately applied between March 19 and 26, more than four weeks prior to the attack. However, this fix was not publicly announced or mandated for all mining pools, creating a window of opportunity for the attackers. The Litecoin Core v0.21.5.4 release, which includes crucial security updates, has been made available, and all users are advised to upgrade. According to the Litecoin Foundation, the bug has been fully patched, and the network is now operating normally. Nevertheless, security researchers have pointed out discrepancies in the timeline of events, suggesting that the vulnerability was known and addressed privately before the attack. The incident highlights the challenges faced by older proof-of-work networks like Litecoin, where independent mining pools have the autonomy to choose when to upgrade, potentially leaving a window of vulnerability open to exploitation.