Litecoin Recovers from Denial-of-Service Attack by Rewriting 13 Blocks

Late Friday and Saturday, a chain reorganization of 13 blocks on the Litecoin network undid approximately 32 minutes of activity, following a denial-of-service attack that leveraged a vulnerability in its Mimblewimble Extension Block protocol. The bug allowed invalid transactions to bypass nodes that hadn't updated, before the network's valid chain rectified them. The Litecoin Foundation announced that the bug was fully patched and the network was operating normally by Sunday morning. However, an examination of the litecoin-project GitHub repository reveals that the consensus vulnerability was known and patched between March 19 and 26, about four weeks before the attack. This timeline raises questions about the classification of the exploit as a zero-day attack, which refers to a vulnerability unknown to defenders at the time of the attack. The patches for both the consensus vulnerability and a separate denial-of-service vulnerability were included in the Litecoin Core v0.21.5.4 release, which users are advised to upgrade to for important security updates. The incident highlights the challenges faced by older proof-of-work networks like Litecoin, where independent mining pools have the discretion to choose when to upgrade, potentially creating windows of vulnerability.