Litecoin Falls Victim to Denial-of-Service Attack, Successfully Reverses 13 Blocks

On Friday and Saturday, a chain reorganization of 13 blocks occurred on the Litecoin network, undoing approximately 32 minutes of activity after attackers exploited a vulnerability in the Mimblewimble Extension Block protocol. The bug enabled a denial-of-service attack against major mining pools, allowing invalid transactions to bypass nodes that had not been updated before the network's longest valid chain corrected them. Following the incident, Litecoin Core v0.21.5.4 was released, with all users advised to upgrade due to important security updates. The Foundation announced on Sunday that the bug had been fully patched and the network was operating normally. However, security researchers have pointed out that the timeline of events, as indicated by the litecoin-project GitHub repository, suggests the vulnerability was known and patched privately a month prior to the attack. This has raised concerns regarding the window of vulnerability that existed between the private patch and its public release, allowing attackers to exploit the gap. The consensus vulnerability was privately patched between March 19 and March 26, while a separate denial-of-service vulnerability was patched on April 25. Both fixes were included in the release 0.21.5.4, which was made available after the attack had begun. The incident highlights the challenges faced by older proof-of-work networks like Litecoin, where independent mining pools have the freedom to choose when to upgrade, creating potential windows of vulnerability in the event of a security patch.