Litecoin Recovers from Denial-of-Service Attack by Rewriting 13 Blocks

Late Friday and Saturday, a series of events unfolded as a denial-of-service attack targeted Litecoin, leveraging a vulnerability in its Mimblewimble Extension Block (MWEB) protocol to facilitate invalid transactions. The attack, which was countered by a 13-block chain reorganization, rewound approximately 32 minutes of network activity. According to the Litecoin foundation, the bug was fully patched, and normal network operations resumed by Sunday morning. However, an examination of the litecoin-project GitHub repository reveals that the consensus vulnerability was privately addressed between March 19 and 26, more than four weeks before the attack occurred. This timeline has raised questions, as it indicates the vulnerability was known and patched, yet the fix was not publicly announced or mandated for all mining pools. The attack exploited this window of vulnerability, where some miners were running patched code while others were still using the vulnerable version. The denial-of-service aspect of the attack appeared to be designed to take patched mining nodes offline, allowing the unpatched nodes to form a chain that included the invalid transactions. Observers note that the network's ability to automatically handle the 13-block reorganization once the denial-of-service attack stopped suggests that enough hashrate was running updated code to eventually overpower the attack. This incident highlights the differences in how various networks respond to exploits, with newer chains capable of rapid, coordinated upgrades and older proof-of-work networks like Litecoin facing challenges due to their reliance on independent mining pools for updates. As of the last update, the Litecoin Foundation had not publicly commented on the GitHub timeline, and details regarding the amount of LTC involved in the invalid block window and the value of any swaps completed before the reorganization remain undisclosed.