Litecoin Recovers from Denial-of-Service Attack by Rewriting 13 Blocks

On Friday and Saturday, a series of events unfolded as a 13-block chain reorganization took place on the Litecoin network, effectively rewinding 32 minutes of network activity. This reorganization was in response to a denial-of-service attack that exploited a vulnerability in the Mimblewimble Extension Block (MWEB) protocol. The attackers were able to slip invalid MWEB transactions through nodes that had not been updated, but the network's longest valid chain eventually corrected them. The vulnerability had been privately patched between March 19 and 26, but the fix had not been publicly announced or mandated for all mining pools, creating a window of opportunity for the attackers. The Litecoin Foundation has released an update, Litecoin Core v0.21.5.4, which contains important security updates and advises all users to upgrade. Researchers have pointed out discrepancies in the timeline of events, with some suggesting that the attack may not have been a true zero-day exploit, as the vulnerability had been known and patched a month prior. The incident highlights the challenges faced by older proof-of-work networks like Litecoin, where independent mining pools have the freedom to choose when to upgrade, creating potential windows of vulnerability.