Litecoin Recovers from Denial-of-Service Attack by Rewriting 13 Blocks

On Friday and Saturday, a chain reorganization of 13 blocks was executed to undo the effects of a denial-of-service attack on the Litecoin network, which had enabled malicious transactions to be processed due to a vulnerability in its Mimblewimble Extension Block protocol. The attack was mitigated after the network's longest valid chain corrected the invalid transactions. The Litecoin Core v0.21.5.4 release has been made available, which includes essential security updates. According to the Litecoin Foundation, the bug has been fully patched and the network is now operating normally. However, security researchers have pointed out that the timeline of events, as indicated by the litecoin-project GitHub repository, suggests that the vulnerability was known and patched privately a month prior to the attack, but the fix had not been publicly disclosed or mandated for all mining pools. This created a window of opportunity for the attackers, who seemed to be aware of the patched and unpatched nodes. The attack involved a separate denial-of-service vulnerability that was patched on the morning of April 25, and both fixes were incorporated into the release 0.21.5.4 after the attack had commenced. The incident highlights the differences in how various networks respond to exploits, with newer chains being able to coordinate upgrades quickly, whereas older proof-of-work networks like Litecoin rely on independent mining pools to upgrade, resulting in a window of vulnerability.