Litecoin Faces Denial-of-Service Attack, Reverses 13 Blocks to Mitigate Damage

On Friday and Saturday, a series of events led to a 13-block chain reorganization on the Litecoin network, effectively rewinding 32 minutes of network activity. This occurred after attackers exploited a vulnerability in the Mimblewimble Extension Block (MWEB) protocol, allowing invalid transactions to bypass nodes that had not been updated. The Litecoin Core v0.21.5.4 release has since been made available, containing crucial security updates. According to the Litecoin Foundation, the bug has been fully patched and the network is now operating normally. However, security researchers have pointed out discrepancies in the timeline of events, as the litecoin-project GitHub repository indicates that the consensus vulnerability was privately patched between March 19 and 26, roughly four weeks before the attack. A separate denial-of-service vulnerability was also patched on April 25. The fixes were incorporated into release 0.21.5.4 on the afternoon of the attack. The incident has raised concerns regarding the network's vulnerability window, which allowed some miners to run patched code while others continued to run the vulnerable version. Blockchain data reveals that the attacker pre-funded a wallet 38 hours prior to the exploit and had configured the destination address to swap LTC for ETH on a decentralized exchange. The denial-of-service attack and MWEB bug were reportedly separate components, with the DoS designed to take patched mining nodes offline, enabling the unpatched ones to form a chain that included the invalid transactions. The network's automatic handling of the 13-block reorganization after the DoS stopped suggests that sufficient hashrate was running updated code to eventually overpower the attack. This incident highlights the differences in how various networks respond to exploits, with newer chains having more centralized validator sets and older proof-of-work networks relying on independent mining pools to upgrade, creating a window of vulnerability. The Litecoin Foundation has yet to publicly address the GitHub timeline, and the amount of LTC pegged out during the invalid block window and the value of any swaps completed before the reorganization reversed them remain undisclosed.