Litecoin patches zero-day bug after 13-block reorg

Litecoin confirmed on April 25 that a zero-day bug affecting major mining pools allowed invalid MimbleWimble Extension Block (MWEB) transactions to be accepted by nodes that had not updated their software. The network performed a 13-block chain reorganization that removed the invalid transactions. The Litecoin team reported the bug has been patched and the network is operating normally as of 4:22 p.m. ET.

According to the Litecoin statement, non-updated mining nodes processed an invalid MWEB transaction that enabled coins to be pegged out to third-party decentralized exchanges. The protocol response was a reorganization that discarded the chain containing the invalid activity and restored a main chain without those transactions. Litecoin reported that valid transactions during the incident remained unaffected.

Onchain timestamps show the 13 blocks took more than three hours to produce, compared with the roughly 32 minutes normally expected for 13 blocks at Litecoin’s 2.5-minute target time. That discrepancy led some observers to initially treat the event as a possible 51% attack. Aurora Labs CEO Alex Shevchenko and onchain analyst Zacodil flagged the reorganization earlier in the day, prompting exchanges and cross-chain services to pause some Litecoin-related operations while they assessed exposure.

NEAR Intents reported roughly $600,000 in potential exposure and said its team would cover any user losses. Litecoin’s confirmation that the invalid transactions were removed from the main chain indicates actual settled losses may be lower than that initial estimate. NEAR Intents has not yet issued a follow-up statement. Other cross-chain services that suspended activity are expected to reassess their exposure after the Litecoin update.

The Litecoin team urged node operators and miners to run the updated client to avoid similar problems caused by a mix of updated and non-updated nodes. Developers and security researchers continue to monitor chain behavior and third-party services for any residual effects.

Zooko Wilcox, founder of Zcash, wrote: “This isn’t an isolated incident. There have been many of these rollback-and-double-spend attacks against Proof-of-Work-alone blockchains both years ago and recently, including recently against Monero and Grin.”

Protocol teams and affected services are reporting follow-up findings as they complete checks. The situation remains under observation and additional technical updates may follow.