The attackers took advantage of the more than three-hour forking window to execute double spends.
The error is now completely fixed through security patches, they say.
The Litecoin network experienced one of its most critical episodes this weekend since the implementation of its privacy layer. A combination of a denial of service (DoS) attack and a vulnerability in the Mimblewimble Extension Block (MWEB) protocol caused a 13-block reorganization, invalidating approximately 32 minutes of transaction history.
The incident, which occurred between Friday night and Saturday morning, April 25, allowed attackers to double spend and extracted funds from cross-chain exchange protocols, raising questions about the Litecoin Foundation’s management of security patches.
In the last hours the Foundation communicated that the error is now completely resolved and urges node operators to update to the latest client version: Litecoin Core v0.21.5.4.
Attack on MWEB and coordinated DoS
According to technical reports, The attack exploited a consensus vulnerability in MWEB which allowed invalid transactions to be leaked through nodes that had not updated their software.
To ensure that the invalid chain gained traction, the attackers launched a DoS attack against major mining pools. The goal was to disconnect nodes that already had the security patch, allowing vulnerable (unupdated) nodes to form a chain that included fraudulent MWEB transactions.
Alex Shevchenko, CEO of Aurora Labs, qualified the event as a “coordinated attack.” The fork extended from block 3,095,930 to 3,095,943. The “vulnerability window” was exploited by the attackers, who, according to on-chain data, preloaded a wallet from Binance (0xfF18652A84aAd4f99F464f6B58cE7Ad929F6Fc10) 38 hours before the event, preparing LTC to ETH swaps on decentralized exchanges.
Once the DoS attack ceased and the processing power (hashrate) with the updated software regained control, the network automatically applied reorganization to return to the valid chain, erasing fraudulent activity but leaving a trail of losses on external platforms.
From zero-day vulnerability to silent patch
Although the Litecoin Foundation initially suggested that this was an unknown bug, security researchers contradict this version based on the GitHub public logs.
The researcher known as bbsz, a member of the SEAL911 group, revealed a chronology that suggests the developers were already aware of the bug:
- March 19-26: The consensus vulnerability in MWEB was patched privately (almost a month before the attack).
- April 25 (morning): A second denial of service vulnerability has been patched.
- April 25 (late): Version 0.21.5.4 was released with both fixes, just as the attack was already underway.
“Post-mortem analysis says that a zero-day vulnerability caused a DoS that allowed an invalid MWEB transaction to be leaked. The Git log at litecoin-project/litecoin tells a slightly different story,” suggesting that the vulnerability was already known, bbsz noted.
Financial impact and losses in the ecosystem
While the Litecoin network corrected its history and legitimate transactions were kept safe, the protocols that interact with LTC suffered the impact of double spending before the reorganization.
- NEAR Intents: reported an exhibition worth approximately $600,000.
- Decentralized exchanges: Multiple swaps were detected made just before the reorganization reversed the transactions.
- Market: Despite the technical severity, the LTC price showed resilience, trading near the 56 dollarswith a marginal drop of 1% after hearing the news.
The exposed scenario of this attack brings to the discussion table the sensitivity of the security of certain protocols: if developers apply a “silent patch” without alerting miners to update massively, they create conditions where attackers can identify which nodes are still vulnerable and direct their efforts towards them.
As of press time, the Litecoin Foundation has not issued additional comments on the discrepancy between GitHub’s schedule and its official statements. This is the first large-scale attack against MWEB since its activation in May 2022.