Litecoin Recovers from Denial-of-Service Attack and 13-Block Rewrite

Late Friday and Saturday, a series of events unfolded on the Litecoin network, culminating in a 13-block chain reorganization to counteract the effects of a denial-of-service attack. This attack exploited a vulnerability in the Mimblewimble Extension Block (MWEB) protocol, allowing for the insertion of invalid transactions into the network. The vulnerability had been privately patched between March 19 and 26, but the fix had not been widely implemented, creating a window of opportunity for the attackers. They targeted major mining pools, leveraging the vulnerability to introduce invalid MWEB transactions into the network. The attack was eventually mitigated as the network's longest valid chain corrected the invalid transactions, but not before approximately 32 minutes of network activity had been rewound. The Litecoin Foundation has since confirmed that the bug has been fully patched and the network is operating normally. However, the timeline of events, as revealed through the litecoin-project GitHub repository, suggests that the vulnerability was known and patched a month prior to the attack, raising questions about the handling of the exploit. The incident highlights the challenges faced by older proof-of-work networks like Litecoin, where independent mining pools are responsible for upgrading their software, potentially creating windows of vulnerability. In contrast to newer, more centralized networks that can coordinate upgrades swiftly, the decentralized nature of Litecoin and similar networks can lead to delays in patching security vulnerabilities, making them more susceptible to attacks. The full extent of the damage, including the amount of LTC pegged out during the invalid block window and the value of any swaps completed before the reorganization, has not been disclosed.