Litecoin Recovers from Denial-of-Service Attack by Reorganizing 13 Blocks

A chain reorganization of 13 blocks on the Litecoin network late Friday and Saturday reversed approximately 32 minutes of network activity after attackers exploited a vulnerability in the Mimblewimble Extension Block (MWEB) protocol. The bug enabled a denial-of-service attack against major mining pools, allowing invalid MWEB transactions to bypass nodes that had not been updated before the network's longest valid chain corrected them. The Litecoin Core v0.21.5.4 release, which includes crucial security updates, has been made available, and all users are advised to upgrade. According to the Foundation, the bug was fully patched and the network is operating normally as of Sunday morning. However, prominent researchers claim that the timeline of events provided by the litecoin-project GitHub repository contradicts this narrative. Security researcher bbsz, who works with the SEAL911 emergency response group for crypto exploits, posted the patch timeline extracted from the public commit log, revealing that the consensus vulnerability was privately patched between March 19 and March 26, roughly four weeks before the attack. A separate denial-of-service vulnerability was patched on the morning of April 25, and both fixes were incorporated into release 0.21.5.4 the same afternoon, after the attack had already begun. A zero-day refers to a vulnerability that is unknown to defenders at the time of an attack. The commit history of Litecoin shows that the consensus vulnerability was known and patched privately a month before the exploit but had not been publicly disclosed or mandated for all mining pools. This created a window of opportunity where some miners ran the patched code while others ran the vulnerable version, and the attackers seemed to be aware of the difference. Alex Shevchenko, CTO of NEAR Foundation's Aurora project, expressed similar concerns in a thread. Blockchain data indicated that the attacker pre-funded a wallet 38 hours before the exploit through a Binance withdrawal, with the destination address already set up to swap LTC for ETH on a decentralized exchange. The denial-of-service attack and the MWEB bug were separate components, Shevchenko argued, with the DoS designed to take patched mining nodes offline so that the unpatched ones would form the chain that included the invalid transactions. The fact that the network automatically handled the 13-block reorganization once the DoS stopped suggests that enough hashrate was running updated code to eventually overpower the attack, but only after the unpatched fork had run for 32 minutes. The attack on Litecoin highlights how different networks respond to exploits in distinct ways. Newer chains with smaller, more centralized validator sets can coordinate upgrades through chat groups and push patches network-wide in hours. Older proof-of-work networks like Litecoin and Bitcoin rely on independent mining pools choosing when to upgrade, which works for non-urgent changes but creates a window of vulnerability when a security patch needs to reach everyone before an attacker exploits the gap. The Litecoin Foundation has not publicly addressed the GitHub timeline as of Sunday morning. The amount of LTC pegged out during the invalid block window and the value of any swaps completed before the reorganization reversed them have not been disclosed.