Litecoin Network Recovers from Denial-of-Service Attack and 13-Block Reorganization

On Friday and Saturday, a series of events unfolded on the Litecoin network, beginning with a 13-block chain reorganization that rewound approximately 32 minutes of network activity. This reorganization was a response to a denial-of-service attack that exploited a vulnerability in the Mimblewimble Extension Block (MWEB) protocol, allowing invalid transactions to bypass nodes that had not been updated. The Litecoin Core v0.21.5.4 release, which includes important security updates, has been made available to all users, who are advised to upgrade. According to the Litecoin Foundation, the bug has been fully patched, and the network is now operating normally. However, security researchers have pointed out that the timeline of events, as revealed by the litecoin-project GitHub repository, indicates that the consensus vulnerability was privately patched between March 19 and 26, roughly four weeks before the attack occurred. This has raised questions about the handling of the vulnerability and the potential for future exploits. The attack itself involved a combination of a denial-of-service vulnerability and the MWEB bug, which were separately patched, with the fixes being rolled into the release 0.21.5.4 after the attack had begun. Further analysis has shown that the attackers appeared to have knowledge of which mining nodes were running the patched code and which were still vulnerable, allowing them to target the vulnerable nodes. The incident highlights the challenges faced by older proof-of-work networks like Litecoin in responding to security exploits, particularly when compared to newer chains with more centralized validator sets. The full extent of the damage caused by the attack, including the amount of LTC pegged out during the invalid block window and the value of any swaps completed before the reorganization, has not been disclosed.