Litecoin Recovers from Denial-of-Service Attack by Rewriting 13 Blocks

Late Friday and Saturday, a series of events unfolded as a 13-block chain reorganization occurred on the Litecoin network at $55.61, effectively reversing the impact of a denial-of-service attack. This attack exploited a vulnerability within the Mimblewimble Extension Block (MWEB) protocol, allowing invalid transactions to bypass nodes that hadn't been updated. The Litecoin Core v0.21.5.4 release has since been made available, urging all users to upgrade due to important security updates. According to the Litecoin Foundation, the bug has been fully patched and the network is now operating as normal. However, security researchers have pointed out discrepancies between the reported timeline and the actual events, as evidenced by the litecoin-project GitHub repository. The repository shows that the consensus vulnerability was privately addressed between March 19 and 26, more than four weeks before the attack occurred. A separate denial-of-service vulnerability was also patched on April 25. Both fixes were included in the release 0.21.5.4, which was rolled out after the attack had begun. The term 'zero-day' refers to a vulnerability that is unknown to the defenders at the time of an attack, but in this case, the consensus vulnerability was known and patched a month prior to the exploit. The fact that the fix hadn't been publicly broadcast or mandated for all mining pools created a window of vulnerability. Alex Shevchenko, CTO of NEAR Foundation's Aurora project, highlighted concerns in a thread, noting that blockchain data indicated the attacker had pre-funded a wallet 38 hours before the exploit, with plans to swap LTC for ETH on a decentralized exchange. The denial-of-service attack and the MWEB bug were distinct components, with the DoS designed to take patched mining nodes offline, allowing the unpatched ones to form a chain that included the invalid transactions. The network's ability to automatically handle the 13-block reorganization once the DoS stopped suggests that enough hashrate was running updated code to eventually overpower the attack. This incident highlights the differences in how various networks respond to exploits, with newer chains having more centralized validator sets that can coordinate upgrades quickly, while older proof-of-work networks like Litecoin and Bitcoin rely on independent mining pools choosing when to upgrade, creating potential windows of vulnerability.