Litecoin Recovers from Denial-of-Service Attack by Rewriting 13 Blocks

On Friday and Saturday, a series of events unfolded as a denial-of-service attack targeted Litecoin, exploiting a vulnerability in its Mimblewimble Extension Block (MWEB) protocol, allowing for the temporary inclusion of invalid transactions before the network self-corrected. The attack was facilitated by a bug that had not been universally patched among mining pools, despite a fix being available. The Litecoin Core v0.21.5.4 update was subsequently released, containing crucial security patches, and users were advised to upgrade to protect against future exploits. According to the Litecoin Foundation, the issue was fully resolved, and the network returned to normal operation by Sunday. However, analysis of the litecoin-project GitHub repository revealed that the consensus vulnerability had been privately patched between March 19 and 26, more than four weeks before the attack occurred. This timeline has raised questions among researchers, as it suggests the vulnerability was known and addressed internally before the exploit, yet the patch had not been widely implemented or announced, potentially allowing the attackers to target unpatched nodes. The attack involved a pre-funded wallet and a decentralized exchange to swap LTC for ETH, and it highlighted the challenges faced by older proof-of-work networks like Litecoin in coordinating upgrades and patches across independent mining pools. The incident demonstrates the complexities and vulnerabilities inherent in cryptocurrency networks and the importance of swift and transparent communication in maintaining the security and integrity of these systems.