Litecoin Suffers Denial-of-Service Attack, Successfully Reverses 13 Blocks

On Friday and Saturday, a series of events unfolded as a 13-block chain reorganization occurred on the Litecoin network, effectively rewinding 32 minutes of network activity. This was in response to an attack that leveraged a vulnerability within the Mimblewimble Extension Block (MWEB) protocol, allowing for a denial-of-service attack against major mining pools. The exploit enabled the processing of invalid MWEB transactions, which were later corrected by the network's longest valid chain. In response, the Litecoin Core v0.21.5.4 was released, containing critical security updates and advising all users to upgrade. According to the Litecoin Foundation, the bug was fully patched and the network was operating normally by Sunday morning. However, security researchers have pointed out discrepancies in the timeline of events, suggesting that the vulnerability was known and patched privately a month before the attack, but not publicly disclosed or mandated for all mining pools. This created a window of opportunity for attackers to exploit the vulnerability, targeting unpatched nodes. The incident highlights the differences in how various networks respond to exploits, with newer chains often coordinating upgrades quickly and older proof-of-work networks like Litecoin facing challenges in promptly implementing security patches across independent mining pools. The full extent of the damage, including the amount of LTC pegged out during the invalid block window and the value of any swapped assets, has not been disclosed.