Litecoin Network Recovers from Denial-of-Service Attack and Block Reorganization

On Friday and Saturday, the Litecoin network experienced a significant disruption due to a denial-of-service attack that exploited a vulnerability in its Mimblewimble Extension Block protocol, leading to a 13-block reorganization to rectify the issue. The attack allowed invalid transactions to be processed by nodes that had not been updated, before the network's longest valid chain corrected them. A patch for the vulnerability was released in Litecoin Core v0.21.5.4, with users advised to upgrade for important security updates. According to the Litecoin Foundation, the bug was fully patched and the network is operating normally. However, analysis of the litecoin-project GitHub repository suggests that the consensus vulnerability was privately patched between March 19 and 26, roughly four weeks before the attack, raising questions about the timeline of events. The vulnerability allowed for a denial-of-service attack against major mining pools, enabling invalid MWEB transactions to slip through nodes that had not updated. Researchers argue that the attack was not a traditional zero-day, as the vulnerability was known and patched privately before the exploit. The incident highlights the challenges faced by older proof-of-work networks like Litecoin, where independent mining pools choose when to upgrade, creating a window of vulnerability when a security patch needs to be applied. The amount of LTC affected by the invalid block window and the value of any swaps completed before the reorganization reversed them have not been disclosed.