Late Friday into Saturday, the Litecoin network experienced a significant setback, marked by a 13-block chain reorganization that rewound approximately 32 minutes of activity. This disruption was instigated by attackers exploiting a vulnerability in the network’s Mimblewimble Extension Block (MWEB) protocol. The flaw allowed a denial-of-service (DoS) attack to target major mining pools, enabling invalid MWEB transactions to bypass nodes that had not updated their software, until the network’s longest valid chain intervened.
By Sunday morning in Asian time zones, the Litecoin Foundation announced that the bug had been fully patched and that operations had returned to normal. However, some researchers pointed to discrepancies within the Litecoin project’s GitHub repository that suggest a more complicated narrative. Security researcher bbsz, affiliated with the SEAL911 emergency response group, scrutinized the timeline of events as documented in the public commit log and expressed concern over the implications of the findings.
According to bbsz, the commit history reveals that a consensus vulnerability leading to the invalid MWEB peg-out had been privately patched between March 19 and March 26—approximately four weeks prior to the attack. Moreover, a separate denial-of-service vulnerability had its patch issued on the morning of April 25, after hostilities had already begun.
Bbsz noted that while the post-mortem attributes the incident to a single zero-day vulnerability that permitted an invalid MWEB transaction to slip through, the information presented in the git log suggests a more intricate scenario. The commit history confirms that the consensus vulnerability was known and addressed privately before the exploit occurred, though the fix had not been widely communicated or mandated for all mining pools. This negligence created a vulnerability window in which some miners operated under the patched code while others continued to run outdated, vulnerable versions, presumably making it easier for attackers to manipulate the network.
Concerns were echoed by Alex Shevchenko, the CTO of NEAR Foundation’s Aurora project. He revealed that blockchain data indicated the attacker pre-funded a wallet 38 hours ahead of the exploit, using a withdrawal from Binance, with the destination pre-configured to convert LTC to ETH via a decentralized exchange. Shevchenko posited that the DoS attack, coupled with the MWEB bug, was a two-pronged strategy: the DoS was aimed specifically at disabling patched mining nodes, allowing unpatched ones to become the foundation of a chain that included the invalid transactions. The network’s eventual 13-block reorganization indicated that enough processing power had shifted to updated code to reclaim stability, albeit only after a 32-minute lapse during which the unpatched fork was the dominant chain.
This incident highlights the contrasting responses to attacks among various blockchain networks. For instance, newer platforms with smaller, more centralized validator sets typically coordinate rapid upgrades through direct communication channels, allowing for swift network-wide patches. In contrast, older proof-of-work networks like Litecoin and Bitcoin rely on independent mining pools to determine upgrade timelines, creating significant vulnerabilities in urgent scenarios.
As of Sunday morning, the Litecoin Foundation had yet to address the implications surrounding the GitHub timeline or disclose the amount of LTC that was pegged out during the invalid period, nor the value of transactions that may have been executed before the subsequent reorganization corrected them.
