Litecoin suffered a 13-block chain reorganization on the weekend of April 25 after attackers exploited a vulnerability in the Mimblewimble Extension Block (MWEB) protocol to push invalid transactions through unpatched nodes. The Litecoin Foundation characterised the event as a zero-day exploit, but the public litecoin-project GitHub repository shows the underlying consensus vulnerability was privately patched between March 19 and March 26 — roughly four weeks before the attack — and bundled into release 0.21.5.4 only on the afternoon of April 25, after the exploit was already underway. A separate denial-of-service vulnerability used in the attack was patched the same morning.
Why it matters
A zero-day is, by definition, a vulnerability unknown to defenders at the time of attack. The commit history suggests this was the opposite: a known bug whose fix had been held back from public release and not pushed to all mining pools, creating a window in which some operators ran patched code and others did not. Security researcher bbsz of the SEAL911 emergency-response group pulled the patch timeline from the public commit log and argued on X that the Foundation's post-mortem does not match what the git history shows. NEAR's Alex Shevchenko added that on-chain data traces the attacker's pre-funding to a Binance withdrawal 38 hours before the exploit, with the destination address already wired to swap LTC into ETH on a decentralised exchange — a level of preparation that does not square with an unknown vulnerability.
Market impact
The 13-block reorg reversed about 32 minutes of activity before the network's longest valid chain overtook the attacker's fork once the DoS against patched miners stopped. The structural read for the broader market is that older proof-of-work networks like Litecoin and bitcoin rely on independent mining pools choosing when to upgrade, which works for routine changes but leaves an exploitable gap when a security patch must reach every operator before an attacker does — the opposite of the hours-long coordinated upgrade newer chains can run.
Frequently asked questions
-
What actually happened to Litecoin over the weekend of April 25?
Attackers exploited a vulnerability in Litecoin's Mimblewimble Extension Block (MWEB) protocol to push invalid transactions through unpatched nodes, triggering a 13-block chain reorganization that reversed about 32 minutes of activity.
-
Why is the 'zero-day' framing disputed?
The public litecoin-project GitHub shows the core consensus bug was privately patched between March 19 and March 26, roughly four weeks before the attack — a zero-day is, by definition, a vulnerability unknown to defenders at the time of exploitation.
-
Who flagged the patch-timeline discrepancy?
Security researcher bbsz of the SEAL911 emergency-response group pulled the patch timeline from the public commit log, and NEAR Foundation's Alex Shevchenko raised parallel concerns, including on-chain evidence of the attacker's pre-funding via Binance.
-
How did the network recover from the 13-block reorg?
Once denial-of-service attacks on patched mining nodes stopped, the longest valid chain overtook the attacker's fork and the network reorganised back to the canonical state. The 32-minute invalid window was effectively reversed.
-
Has the Litecoin Foundation responded to the GitHub timeline?
As of Sunday morning, the Foundation had not publicly addressed the patch timeline or disclosed how much LTC was moved during the invalid block window and the value of any swaps completed before the reorg reversed them.
CoinDesk