Litecoin Network Faces Denial-of-Service Attack, Successfully Reverses 13 Blocks

On Friday and Saturday, the Litecoin network experienced a significant disruption due to a denial-of-service attack, which rewound approximately 32 minutes of network activity. The attack exploited a vulnerability in the Mimblewimble Extension Block (MWEB) protocol, allowing invalid transactions to bypass nodes that had not been updated. However, the network's longest valid chain eventually corrected these transactions. A recent release, Litecoin Core v0.21.5.4, has addressed the issue and users are advised to upgrade for important security updates. Despite the foundation's claim that the bug was fully patched and the network is operating normally, prominent researchers argue that the timeline of events, as shown on the litecoin-project GitHub repository, tells a different story. The consensus vulnerability was privately patched between March 19 and March 26, roughly four weeks before the attack, but the fix had not been publicly disclosed or mandated for all mining pools. This created a window of opportunity for attackers, who appeared to be aware of which miners were running the patched code and which were still vulnerable. The attack involved a separate denial-of-service vulnerability, which was patched on the morning of April 25, and both fixes were included in the release 0.21.5.4 after the attack had begun. The incident highlights the challenges faced by older proof-of-work networks like Litecoin, which rely on independent mining pools to upgrade, creating a window of vulnerability when security patches need to be implemented quickly. The amount of LTC affected during the invalid block window and the value of any swaps completed before the reorganization reversed them have not been disclosed.