A 13-block chain reorganization on late Friday and Saturday rewound roughly 32 minutes of community exercise after attackers used a vulnerability in its Mimblewimble Extension Block (MWEB) protocol.
The bug had enabled a denial-of-service assault in opposition to main mining swimming pools, permitting the invalid MWEB transactions to slide by way of nodes that had not up to date, earlier than the community’s longest legitimate chain corrected them.
The Basis stated in Asian morning hours on Sunday the bug was totally patched and the community is working usually.
Nevertheless, outstanding researchers say the litecoin-project GitHub repository tells a distinct story. Safety researcher bbsz, who works with the SEAL911 emergency response group for crypto exploits, posted the patch timeline pulled from the general public commit log.
Now that stuff has been made public on the Litecoin GitHub, we’ve a greater sense of timeline and what occurred.
Within the age of Mythos, this timeline merely would not fly.
The autopsy says one zero-day triggered a DoS that permit an invalid MWEB tx slip by way of. The git go online… https://t.co/zMMrheQLPP pic.twitter.com/O3DtdwV0rF
— bbsz (@blackbigswan) April 26, 2026
The consensus vulnerability that allowed the invalid MWEB peg-out was privately patched between March 19 and March 26, roughly 4 weeks earlier than the assault. A separate denial-of-service vulnerability was patched on the morning of April 25.
Each fixes had been rolled into launch 0.21.5.4 the identical afternoon, after the assault had already begun.
“The autopsy says one zero-day triggered a DoS that permit an invalid MWEB transaction slip by way of,” bbsz wrote. “The git log tells a barely completely different story.”
A zero-day refers to a vulnerability unknown to defenders on the time of an assault.
Litecoin’s commit historical past exhibits the consensus vulnerability was identified and patched privately a month earlier than the exploit, however the repair had not been broadcast publicly or required to all mining swimming pools.
That created a window the place some miners ran the patched code whereas others ran the still-vulnerable model, and the attackers seem to have identified which was which.
Alex Shevchenko, CTO of NEAR Basis’s Aurora mission, raised parallel considerations in a thread.
Blockchain knowledge confirmed the attacker pre-funded a pockets 38 hours earlier than the exploit by way of a Binance withdrawal, with the vacation spot handle already configured to swap LTC into ETH on a decentralized trade.
The denial-of-service assault and the MWEB bug had been separate parts, Shevchenko argued, with the DoS designed to take patched mining nodes offline so the unpatched ones would type the chain that included the invalid transactions.
The truth that the community mechanically dealt with the 13-block reorganization as soon as the DoS stopped suggests sufficient hashrate was working up to date code to ultimately overpower the assault, however solely after the unpatched fork had run for 32 minutes.
A success on Litecoin exhibits how assaults on varied networks differ in how code maintainers and builders react to exploits. Newer chains with smaller, extra centralized validator units coordinate upgrades by way of discussion groups and might push patches network-wide in hours.
Older proof-of-work networks like Litecoin and bitcoin depend on unbiased mining swimming pools selecting when to improve, which works for non-urgent adjustments however creates a window of vulnerability when a safety patch wants to succeed in everybody earlier than an attacker exploits the hole.
The Litecoin Basis has not publicly addressed the GitHub timeline as of Sunday morning.
The quantity of LTC pegged out throughout the invalid block window and the worth of any swaps accomplished earlier than the reorganization reversed them haven’t been disclosed.
UPDATE (April 26, 11:04 UTC): Rewrites headline to give attention to assault, treatment
