Litecoin Recovers from Denial-of-Service Attack and 13-Block Chain Reorganization

On Friday and Saturday, a series of events unfolded as a 13-block chain reorganization on the Litecoin network rewound approximately 32 minutes of activity. This was in response to a denial-of-service attack that exploited a vulnerability in the Mimblewimble Extension Block (MWEB) protocol, allowing invalid transactions to bypass nodes that had not been updated. The Litecoin Core v0.21.5.4 release has since been made available, containing crucial security updates. According to the Litecoin Foundation, the bug has been fully patched, and the network is now operating as normal. However, security researchers have pointed out discrepancies in the timeline of events, suggesting that the consensus vulnerability was privately patched between March 19 and 26, roughly four weeks prior to the attack. A separate denial-of-service vulnerability was also patched on April 25. Both fixes were incorporated into the release 0.21.5.4 on the afternoon of the attack. The incident has sparked discussions about the differences in how various networks respond to exploits, with newer chains often coordinating upgrades quickly and older proof-of-work networks like Litecoin facing challenges in pushing patches to all independent mining pools promptly.