Litecoin Suffers Denial-of-Service Attack, Rolls Back 13 Blocks to Mitigate Damage

On Friday and Saturday, a 13-block reorganization occurred on the LTC network, undoing approximately 32 minutes of network activity after attackers exploited a vulnerability in the Mimblewimble Extension Block (MWEB) protocol, allowing them to bypass major mining pools and push through invalid MWEB transactions before the network's longest valid chain corrected them. The bug was privately patched between March 19 and 26, and the fix was rolled into release 0.21.5.4 after the attack began. A separate denial-of-service vulnerability was patched on the morning of April 25. Researchers argue that the timeline of events does not align with the Litecoin Foundation's claim of a zero-day attack, as the consensus vulnerability was known and patched a month prior to the exploit. The attack highlights the differences in how various networks respond to exploits, with newer chains able to coordinate upgrades quickly and older proof-of-work networks like Litecoin and bitcoin relying on independent mining pools to upgrade, creating a window of vulnerability.