Litecoin Network Recovers from Denial-of-Service Attack and 13-Block Reorganization

Late Friday and Saturday, a series of events unfolded on the Litecoin network, resulting in a 13-block chain reorganization that rewound approximately 32 minutes of network activity. This reorganization was a response to a denial-of-service attack that targeted major mining pools, exploiting a vulnerability in the Mimblewimble Extension Block (MWEB) protocol. The vulnerability had been privately patched between March 19 and 26, but the fix had not been publicly disclosed or mandated for all mining pools, creating a window of opportunity for the attackers. The attackers used this vulnerability to slip invalid MWEB transactions through nodes that had not been updated, before the network's longest valid chain corrected them. In response to the attack, the Litecoin Core v0.21.5.4 was released, containing important security updates. Prominent researchers have pointed out that the timeline of the patch, as shown on the litecoin-project GitHub repository, tells a different story than the one initially presented by the Litecoin Foundation. The foundation has stated that the bug was fully patched and the network is operating normally, but the timeline of events has raised concerns about the handling of the vulnerability and the attack. The incident highlights the challenges faced by older proof-of-work networks like Litecoin and bitcoin, where independent mining pools can choose when to upgrade, creating a window of vulnerability when a security patch needs to reach everyone before an attacker exploits the gap.