Litecoin Recovers from Denial-of-Service Attack by Rewriting 13 Blocks

Late Friday and Saturday, a series of events unfolded as a denial-of-service attack hit Litecoin, leveraging a vulnerability in its Mimblewimble Extension Block protocol to temporarily rewrite 13 blocks and reverse approximately 32 minutes of network activity. The attack, facilitated by a bug, allowed invalid transactions to bypass nodes that had not been updated, prior to the network's longest valid chain correcting them. In response, Litecoin Core released version 0.21.5.4, advising all users to upgrade due to important security updates. According to the Litecoin Foundation, the bug was fully patched and the network returned to normal operations by Sunday morning. However, security researchers have pointed out discrepancies in the timeline of events, suggesting that the consensus vulnerability was privately patched between March 19 and 26, roughly a month before the attack occurred. This patch was not publicly disclosed or mandated for all mining pools, creating a window of vulnerability. The attackers seemingly exploited this window, targeting unpatched nodes with a denial-of-service attack to include invalid transactions in the chain. Blockchain data indicates that the attacker had pre-funded a wallet 38 hours before the exploit, planning to swap LTC for ETH on a decentralized exchange. The automatic handling of the 13-block reorganization by the network, once the denial-of-service attack ceased, suggests that sufficient hashrate was running updated code to eventually overpower the attack. This incident highlights the differences in how various networks respond to exploits, with newer chains often coordinating upgrades quickly and older proof-of-work networks like Litecoin facing challenges due to independent mining pools choosing when to upgrade.