Litecoin Recovers from Denial-of-Service Attack by Rewriting 13 Blocks

A series of events unfolded over the weekend as a denial-of-service attack on Litecoin led to a 13-block chain reorganization, effectively reversing 32 minutes of network activity. The attack exploited a vulnerability in the Mimblewimble Extension Block (MWEB) protocol, allowing invalid transactions to be processed by nodes that had not been updated. However, once the attack ceased, the network self-corrected, overpowering the attack with enough updated hashrate. The Litecoin Foundation released version 0.21.5.4, advising all users to upgrade due to important security updates. Despite the Foundation's statement that the bug was fully patched and the network was operating normally, prominent researchers pointed out discrepancies in the timeline based on the litecoin-project GitHub repository. The repository showed that the consensus vulnerability was privately patched between March 19 and 26, roughly four weeks before the attack. A separate denial-of-service vulnerability was also patched on April 25, with both fixes included in the release 0.21.5.4 after the attack had begun. The incident highlights the challenges faced by older proof-of-work networks like Litecoin, where independent mining pools choose when to upgrade, creating a window of vulnerability for security patches. The amount of LTC affected during the invalid block window and the value of any swaps completed before the reorganization remain undisclosed.