Litecoin Recovers from Denial-of-Service Attack by Rewriting 13 Blocks

On Friday and Saturday, a series of events unfolded as a 13-block chain reorganization occurred on the Litecoin network, effectively reversing approximately 32 minutes of network activity. This reorganization was a response to a denial-of-service attack that exploited a vulnerability in the Mimblewimble Extension Block (MWEB) protocol, allowing invalid transactions to bypass nodes that had not been updated. The attack targeted major mining pools, taking advantage of the vulnerability before the network's longest valid chain corrected the transactions. In response, Litecoin Core v0.21.5.4 was released, containing crucial security updates, and users are advised to upgrade. According to the Litecoin Foundation, the bug has been fully patched, and the network is now operating normally. However, security researchers have pointed out discrepancies in the timeline of events, as indicated by the litecoin-project GitHub repository. The repository shows that the consensus vulnerability was privately patched between March 19 and 26, roughly four weeks before the attack. A separate denial-of-service vulnerability was addressed on April 25, with both fixes being included in the release 0.21.5.4 after the attack had begun. The incident has raised concerns regarding the handling of vulnerabilities and the potential for attacks in decentralized networks. Prominent researchers argue that the attack consisted of two components: a denial-of-service attack designed to take patched mining nodes offline and a separate exploit targeting the MWEB bug. The fact that the network automatically handled the 13-block reorganization once the denial-of-service attack stopped suggests that enough hashrate was running updated code to eventually overpower the attack. The incident highlights the differences in how various networks respond to exploits, with newer chains often coordinating upgrades more quickly than older proof-of-work networks like Litecoin and Bitcoin. As of Sunday morning, the Litecoin Foundation had not publicly addressed the GitHub timeline, and the amount of LTC pegged out during the invalid block window, as well as the value of any swaps completed before the reorganization reversed them, remains undisclosed.