Litecoin Recovers from Denial-of-Service Attack by Rewriting 13 Blocks

A chain reorganization of 13 blocks on the Litecoin network successfully reversed the effects of a denial-of-service attack that occurred late Friday and Saturday, which had rewound approximately 32 minutes of network activity. The attack exploited a vulnerability in the Mimblewimble Extension Block (MWEB) protocol, allowing invalid transactions to bypass nodes that had not been updated. Following the incident, Litecoin Core v0.21.5.4 was released, containing crucial security updates. According to the Litecoin Foundation, the bug has been fully patched and the network is now operating normally. However, security researchers have pointed out discrepancies in the timeline of events, with the litecoin-project GitHub repository indicating that the consensus vulnerability was privately patched between March 19 and 26, more than four weeks before the attack. The vulnerability allowed for a denial-of-service attack against major mining pools, enabling the invalid MWEB transactions to slip through nodes that had not been updated. Prominent researchers, including security researcher bbsz, have raised concerns about the handling of the exploit, citing the timeline of patches and the potential for future vulnerabilities. The incident highlights the challenges faced by older proof-of-work networks like Litecoin in responding to security exploits, particularly when compared to newer chains with more centralized validator sets.