Over the weekend, a 13-block chain reorganization rewound approximately 32 minutes of network activity on Litecoin ($56.31) following an attack exploiting a vulnerability in its Mimblewimble Extension Block (MWEB) protocol. This bug enabled attackers to execute a denial-of-service against major mining pools, allowing invalid MWEB transactions to pass through outdated nodes before correction by the longest valid chain.
In response, Litecoin Core v0.21.5.4 was released with essential security updates, as advised for all users: https://t.co/6vtrhdXi4c. The Foundation announced in Asian morning hours on Sunday that the bug was patched and network operations resumed normally.
However, an analysis of the litecoin-project GitHub repository by prominent researchers indicates a different story. Security researcher bbsz from SEAL911 highlighted a patch timeline based on public commit logs, suggesting the known vulnerability had been addressed privately between March 19 and March 26, four weeks prior to the attack. A separate denial-of-service issue was fixed on April 25 morning.
Both patches were incorporated into release 0.21.5.4 that afternoon, after the attack commenced. In crypto security terms, a zero-day vulnerability is one unknown to defenders during an attack. Despite claims of it being a zero-day by Litecoin, the consensus vulnerability had been addressed privately a month before the exploit occurred.
The patch’s delay in public dissemination and mandatory adoption led to a scenario where some miners used updated code while others remained vulnerable, potentially aiding attackers aware of this discrepancy.
Alex Shevchenko, CTO of NEAR Foundation’s Aurora project, noted that blockchain data revealed an attacker funded a wallet 38 hours before the exploit via Binance and configured it for LTC to ETH swaps on decentralized exchanges. He argued that the denial-of-service attack aimed to disable updated mining nodes, allowing unpatched ones to validate invalid transactions.
The network’s automatic handling of the reorganization post-attack indicates an eventual overpowering of attackers by updated code after 32 minutes of vulnerability. This incident underscores differences in response strategies between newer, centralized blockchain networks and older proof-of-work systems like Litecoin that depend on mining pools for updates, potentially creating security gaps.
As of Sunday morning, the Litecoin Foundation had not commented on the GitHub timeline publicly. Details regarding the amount of LTC pegged out during the attack or any completed swaps prior to their reversal remain undisclosed.