Litecoin Network Faces Denial-of-Service Attack, Prompting 13-Block Rewrite

Late Friday and Saturday, a 13-block chain reorganization occurred on the Litecoin network, reversing approximately 32 minutes of network activity. This reorganization was in response to a denial-of-service attack that exploited a vulnerability in the Mimblewimble Extension Block (MWEB) protocol, allowing invalid transactions to temporarily bypass nodes that had not been updated. The Litecoin Core v0.21.5.4 release has been issued, advising all users to upgrade due to important security updates. The foundation announced on Sunday that the bug had been fully patched and the network was operating normally. However, security researchers have pointed out discrepancies in the timeline of events, suggesting that the vulnerability was known and privately patched between March 19 and 26, roughly four weeks before the attack. The private patch was not publicly disclosed or mandated for all mining pools, creating a window of vulnerability. The attack involved a separate denial-of-service vulnerability that was patched on April 25, with both fixes included in the release 0.21.5.4 after the attack had begun. The exploit has raised concerns about the response to security vulnerabilities in cryptocurrency networks, particularly in older proof-of-work systems like Litecoin, where independent mining pools have the discretion to choose when to upgrade, potentially leaving a window of vulnerability.