Litecoin Falls Victim to Denial-of-Service Attack, Rolls Back 13 Blocks to Mitigate Damage

A chain reorganization of 13 blocks occurred on the Litecoin network late Friday and Saturday, effectively rewinding 32 minutes of network activity after attackers leveraged a vulnerability in the Mimblewimble Extension Block protocol to initiate a denial-of-service attack against major mining pools, allowing invalid transactions to bypass nodes that had not been updated before the network's longest valid chain rectified them. The Litecoin Core v0.21.5.4 release advises all users to upgrade, citing important security updates. According to the Litecoin Foundation, the bug has been fully patched and the network is operating normally as of Sunday morning. However, security researchers point out that the timeline of events, as indicated by the GitHub repository, tells a different story. The patch for the consensus vulnerability was applied between March 19 and 26, roughly a month before the attack, while a separate denial-of-service vulnerability was patched on April 25. Both fixes were incorporated into release 0.21.5.4 on the afternoon of the attack. A zero-day refers to an unknown vulnerability at the time of an attack. The commit history shows that the consensus vulnerability was known and patched privately a month prior to the exploit but had not been publicly disclosed or mandated for all mining pools, creating a window of opportunity for attackers who seemed to be aware of the difference. Alex Shevchenko, CTO of NEAR Foundation's Aurora project, raised parallel concerns, highlighting that blockchain data showed the attacker had pre-funded a wallet 38 hours before the exploit through a Binance withdrawal, with the destination address already set to swap LTC for ETH on a decentralized exchange. Shevchenko argued that the denial-of-service attack and the MWEB bug were separate components, with the DoS designed to take patched mining nodes offline so the unpatched ones would form the chain that included the invalid transactions. The network's automatic handling of the 13-block reorganization once the DoS stopped suggests that enough hashrate was running updated code to eventually overpower the attack, but only after the unpatched fork had run for 32 minutes. This incident highlights how attacks on different networks vary in how code maintainers and developers respond to exploits. Newer chains with smaller, more centralized validator sets can coordinate upgrades quickly, while older proof-of-work networks like Litecoin and Bitcoin rely on independent mining pools choosing when to upgrade, creating a window of vulnerability when a security patch needs to reach everyone before an attacker exploits the gap. As of Sunday morning, the Litecoin Foundation has not publicly addressed the GitHub timeline, and the amount of LTC pegged out during the invalid block window and the value of any swaps completed before the reorganization reversed them have not been disclosed.