The Litecoin network was forced to roll back approximately 32 minutes of transaction history due to a series of consecutive attacks in the last days of the week. The reason for this was the exploitation of a vulnerability in the Mimblewimble Extension Block (MWEB) protocol in the network. The MWEB protocol was launched in 2022 as a layer that provides extra privacy and scalability to Litecoin. In the incident, attackers exploited a bug in this protocol to target some mining pools and managed to temporarily run part of the network on a new chain.
The gap created by the hidden patch
In the statement made by the Litecoin Foundation regarding the attack, it was stated that the vulnerability detected during Asian hours on Sunday was completely patched and the network returned to normal functioning. However, security researchers point out that there is a more complex picture behind the incident.
A researcher named bbsz from the SEAL911 group, which works in the field of cyber security and provides emergency response to crypto attacks, detailed the attack process by examining Litecoin’s code record on GitHub. It turned out that the consensus vulnerability was actually closed specifically between March 19-26, meaning the security fix was made about a month before the attack. However, it seems that the critical patch has not been publicly announced and has not been made mandatory for all mining pools.
This resulted in some miners using the updated version while others remained with the vulnerable old code. The attackers identified who was vulnerable and turned this into an opportunity.
Technical aspect of the attack and chain reorganization
Two main attack vectors created by the vulnerability attracted attention. The first was that erroneous MWEB transactions were accepted on vulnerable nodes. The second was that some updated miner nodes were temporarily excluded from the network through a denial of service attack (DoS). Thus, more parts of the chain were included in the faulty chain created by miners running unupdated code.
Data on the blockchain showed that the attacker pre-sent funds to a wallet via the Binance exchange approximately 38 hours before the move, and that this address was prepared to convert LTC to ETH on a decentralized platform. After the attack, the network automatically reorganized the 13 blocks and returned to the correct chain. During this process, mining pools using updated code with sufficient processing power were able to restore the network. But the vulnerable chain arm was considered valid for about half an hour.
“After the attack, the network automatically rolled back 13 blocks and moved to the most up-to-date secure chain, but in the meantime, transactions could be made on the vulnerable chain for 32 minutes.”
Chain update and industry challenges
Litecoin and Bitcoin, which are old-style proof-of-work networks, do not have a central distribution mechanism for software updates. Mining pools each apply new patches at their own initiative when they become available, creating a potentially dangerous window of delay in urgent security patches. In contrast, in newer chains with a centralized validator structure, updates can quickly spread throughout the network through group chats and collective coordination.
The Litecoin Foundation had not made any public statement regarding the technical details of the attack and the patch timeline on GitHub as of Sunday morning. There is no clear information yet about how much Litecoin was removed from the chain during the attack and how much of these funds were returned.
