Litecoin Recovers from Denial-of-Service Attack and 13-Block Chain Reorganization

Late Friday and Saturday, a 13-block chain reorganization occurred on the Litecoin network, reversing approximately 32 minutes of network activity after attackers exploited a vulnerability in its Mimblewimble Extension Block (MWEB) protocol. The bug allowed for a denial-of-service attack against major mining pools, enabling invalid MWEB transactions to bypass nodes that had not been updated before the network's longest valid chain corrected them. Following the incident, Litecoin Core v0.21.5.4 was released, containing crucial security updates and advising all users to upgrade. According to the Litecoin Foundation, the bug was fully patched, and the network is now functioning normally. However, security researchers have pointed out that the litecoin-project GitHub repository reveals a different timeline, indicating that the consensus vulnerability was privately patched between March 19 and 26, roughly four weeks prior to the attack. This raises concerns about the window of vulnerability created when some miners ran the patched code while others continued to run the vulnerable version, allowing attackers to exploit the difference. The incident highlights the challenges faced by older proof-of-work networks like Litecoin and bitcoin, which rely on independent mining pools to choose when to upgrade, creating a window of vulnerability when security patches need to be applied quickly.