Litecoin Suffers Denial-of-Service Attack, Successfully Reverses 13 Blocks

On Friday and Saturday, a chain reorganization of 13 blocks on the Litecoin network rewound approximately 32 minutes of activity after attackers exploited a vulnerability in the Mimblewimble Extension Block protocol. The bug enabled a denial-of-service attack against major mining pools, allowing invalid transactions to bypass nodes that had not been updated. The Litecoin Core v0.21.5.4 release, which includes crucial security updates, has been made available, and all users are advised to upgrade. According to the Litecoin Foundation, the bug has been fully patched, and the network is operating normally. However, researchers have pointed out discrepancies in the timeline of events, with the litecoin-project GitHub repository indicating that the consensus vulnerability was privately patched between March 19 and 26, roughly four weeks before the attack. A separate denial-of-service vulnerability was patched on April 25, with both fixes being rolled into the release 0.21.5.4 after the attack had begun. The incident highlights the challenges faced by older proof-of-work networks like Litecoin, where independent mining pools have the freedom to choose when to upgrade, creating a window of vulnerability in the event of a security patch. The attack and subsequent response demonstrate the differences in how code maintainers and developers react to exploits on various networks.