Litecoin Recovers from Denial-of-Service Attack by Rewriting 13 Blocks

On Friday and Saturday, a series of events unfolded as a 13-block reorganization occurred on the Litecoin network, effectively reversing 32 minutes of network activity. This reorganization was in response to a denial-of-service attack that exploited a vulnerability in the Mimblewimble Extension Block (MWEB) protocol, allowing invalid transactions to bypass nodes that had not been updated. The Litecoin Core v0.21.5.4 release was subsequently issued, advising all users to upgrade due to important security updates. According to the Litecoin Foundation, the bug was fully patched by Sunday morning, and the network has returned to normal operation. However, security researchers have pointed out discrepancies in the timeline of events, as indicated by the litecoin-project GitHub repository. The repository shows that the consensus vulnerability was privately patched between March 19 and 26, roughly four weeks before the attack occurred. A separate denial-of-service vulnerability was also patched on April 25, with both fixes being included in the release 0.21.5.4 after the attack had begun. The term zero-day refers to a vulnerability that is unknown to defenders at the time of an attack, but in this case, the consensus vulnerability was known and patched a month prior to the exploit. The patch, however, had not been publicly broadcast or mandated for all mining pools, creating a window of vulnerability. This window allowed attackers to target nodes running the vulnerable version of the code. Alex Shevchenko, CTO of NEAR Foundation's Aurora project, raised concerns about the exploit, highlighting that blockchain data showed the attacker had pre-funded a wallet 38 hours before the exploit and had configured the destination address to swap LTC for ETH on a decentralized exchange. The denial-of-service attack and the MWEB bug were separate components, with the DoS designed to take patched mining nodes offline so that the unpatched ones would form the chain that included the invalid transactions. The network's automatic handling of the 13-block reorganization once the DoS stopped suggests that enough hashrate was running updated code to eventually overpower the attack. This incident highlights the differences in how code maintainers and developers react to exploits on various networks. Newer chains with smaller, more centralized validator sets can coordinate upgrades quickly, while older proof-of-work networks like Litecoin and Bitcoin rely on independent mining pools choosing when to upgrade, creating a window of vulnerability when security patches need to be applied. The Litecoin Foundation has not publicly addressed the GitHub timeline as of Sunday morning, and the amount of LTC pegged out during the invalid block window and the value of any swaps completed before the reorganization reversed them have not been disclosed.