Litecoin Network Suffers Denial-of-Service Attack, Successfully Reverses 13 Blocks

Late Friday and Saturday, a denial-of-service attack struck the Litecoin network, exploiting a vulnerability in its Mimblewimble Extension Block protocol and leading to a 13-block reorganization to reverse the damage. The attack, which occurred at a price of $54.96, rewound approximately 32 minutes of network activity. The vulnerability had been privately patched between March 19 and 26, but the fix had not been publicly disclosed or mandated for all mining pools, creating a window of opportunity for the attackers. A security researcher highlighted that the patch timeline, available on the litecoin-project GitHub repository, indicates the vulnerability was known and addressed a month prior to the attack. The researcher argued that the exploit was a result of a combination of the consensus vulnerability and a denial-of-service attack designed to take patched mining nodes offline. The network's ability to automatically handle the 13-block reorganization once the denial-of-service attack stopped suggests that a sufficient amount of hashrate was running updated code, eventually overpowering the attack. The incident underscores the differences in how various networks respond to exploits, with newer chains capable of coordinating upgrades quickly and older proof-of-work networks like Litecoin facing challenges in ensuring all mining pools upgrade promptly. The Litecoin Foundation has released an updated version, Litecoin Core v0.21.5.4, which contains important security updates, and users are advised to upgrade.