Litecoin bug let attacker fake 85,034 LTC pegout, cause reorg

Litecoin developers published a postmortem confirming two related incidents tied to a Mimblewimble Extension Block (MWEB) validation bug. In March 2026 the bug allowed an attacker to fabricate an 85,034.47285734 LTC pegout; developers recovered 84,184.47278630 LTC after a recovery transaction, while the attacker kept 850 LTC. A separate attempt in April 2026 triggered a 13-block chain reorganization that produced losses for third-party services.

The postmortem identifies the root cause as a missing metadata check during block connection. When an MWEB input spends a previous output, the metadata it carries must match the UTXO being consumed. That check was enforced in the mempool and block-building paths but not fully applied at block connection, which allowed a malicious input with a real value of about 1.2084693 LTC to support a pegout of 85,034.47285734 LTC. Developers discovered the issue during an internal review on March 19 and traced exploitation to block 3,073,882.

After finding the exploit, Litecoin developers coordinated privately with major mining pools and issued emergency updates. Litecoin Core 0.21.5 was released to miners to block new malformed inputs. A follow-up release, 0.21.5.1, added a historical exception for the already-accepted exploit block and temporarily froze three transparent outpoints that held the attacker’s funds. When the attacker attempted to spend a frozen output, upgraded miners rejected the transaction.

Developers then engaged the actor, who signed a recovery transaction returning 84,184.47278630 LTC to a developer-controlled address while retaining 850 LTC as an agreed bounty. Litecoin founder Charlie Lee purchased the 850 LTC so the MWEB balance could be restored. The full 85,034.47285734 LTC was pegged back into MWEB in a single transaction at block 3,078,098 and the resulting MWEB output was frozen. The postmortem states no user funds were lost in the March incident.

The April incident followed a similar path but produced a different failure mode. Upgraded nodes rejected the malformed block, but mutated MWEB block data caused certain mining RPC commands, including submitblock, to hang. Upgraded mining nodes stalled while unupgraded miners continued extending the invalid chain. The invalid chain grew to 13 blocks before upgraded miners coordinated to overtake and reorg it out.

Several third-party systems processed activity on the invalid chain before the reorganization. NEAR Intents confirmed the attacker swapped 11,000 LTC for 7.78814476 BTC before the reorg; those 11,000 LTC were not present on the valid chain after the reorg, leaving NEAR Intents with a confirmed loss. Thorchain reported a separate loss after the attacker swapped 10 LTC for 0.00719957 BTC through its bridge before the reorg.

Developers released Litecoin Core v0.21.5.4 on April 25 to address the mutated-block stall. The update erases stored block data for blocks classified as mutated, allowing valid data for the same block hash to be accepted later. The postmortem acknowledged shortcomings in the response, including reliance on checks that were not enforced at block connection, coordination risks created by staged miner releases, and lack of testing of the mutated-block failure mode against mining RPC behavior.

Community replies on the project’s X account were roughly 70% to 80% supportive of the team’s transparency and speed. The Litecoin X account posted, “Those in charge of posting from this [X] handle will do better in the future.” Node operators are advised to upgrade to Litecoin Core v0.21.5.4 or later, verify that nodes are syncing normally, and perform a reindex if a node remains stuck after a restart.