Litecoin Recovers from Denial-of-Service Attack by Rewriting 13 Blocks

Late Friday and Saturday, a series of events unfolded as a denial-of-service attack targeted Litecoin's major mining pools, exploiting a vulnerability in the Mimblewimble Extension Block protocol. This led to a 13-block chain reorganization, effectively rewinding 32 minutes of network activity. The attack allowed invalid transactions to slip through nodes that had not been updated, before the network's longest valid chain corrected them. Following the incident, Litecoin Core v0.21.5.4 was released, advising all users to upgrade due to important security updates. According to the Litecoin Foundation, the bug was fully patched, and the network is now operating normally. However, security researchers have raised concerns regarding the timeline of events, citing that the consensus vulnerability was privately patched between March 19 and 26, roughly four weeks before the attack. The vulnerability was known and patched, but the fix had not been publicly broadcast or required for all mining pools, creating a window of vulnerability. The attack has sparked discussions on the differences in how various networks respond to exploits, with newer chains having more centralized validator sets that can coordinate upgrades quickly, while older proof-of-work networks like Litecoin rely on independent mining pools to choose when to upgrade, potentially creating windows of vulnerability.