Reorganization of 13-block chain continues About 32 minutes of network activity resumed late Friday night and Saturday after attackers exploited a vulnerability in its MimbleWimble Extension Block (MWEB) protocol.
The bug had enabled a denial of service attack against major mining pools, allowing invalid MWEB transactions to slip through to nodes that were not updated before they were fixed by the network’s longest valid chain.
The foundation said the bug had been fully fixed as of Sunday morning Asian time and the network was working normally.
However, leading researchers say the Litecoin-project GitHub repository tells a different story. Security researcher bbsz, who works with the SEAL911 emergency response group for crypto exploits, posted a patch timeline pulled from public commit logs.
Now that thing has been made public on the Litecoin GitHub, we have a better understanding of the timeline and what happened.
In the age of the Mythos, this timeline doesn’t fly.
The post-mortem stated that a DoS occurred due to a zero-day that dropped an invalid MWEB tx. Git log on… https://t.co/zMMrheQLPP pic.twitter.com/O3DtdwV0rF
– BBSZ (@blackbigswan) 26 April 2026
The consensus vulnerability that allowed invalid MWEB peg-outs was privately patched between March 19 and March 26, approximately four weeks before the attack. A separate denial-of-service vulnerability was patched on the morning of April 25.
Both fixes were released in 0.21.5.4 the same afternoon, after the attack began.
“The postmortem states that a zero-day caused a DoS that aborted an invalid MWEB transaction,” BBSZ wrote. “The git log tells a slightly different story.”
Zero-day refers to a vulnerability unknown to defenders at the time of an attack.
Litecoin’s commit history shows that the consensus vulnerability was known and patched privately a month before the exploit, but the fix was not disseminated publicly or required for all mining pools.
This created a window where some miners ran the patched code while others still ran the vulnerable version, and it appears the attackers knew which was which.
Alex Shevchenko, CTO of the NEAR Foundation’s Aurora Project, raised parallel concerns in a thread.
Blockchain data shows that the attacker pre-funded a wallet 38 hours before the exploit via a Binance withdrawal, with the destination address already configured to swap LTC for ETH on the decentralized exchange.
Shevchenko argued that while the denial-of-service attack and the MWEB bug were separate components, DoS was designed to take patched mining nodes offline so that unpatched ones could create chains that included invalid transactions.
The fact that the network automatically handled the 13-block realignment after the DoS was pulled suggests that enough hashrate was running the update code to eventually overcome the attack, but only after the unpatched fork had been running for 32 minutes.
A hit on Litecoin shows how attacks on different networks react to code maintenance and developers’ exploits. New chains with a smaller, more centralized set of validators coordinate upgrades through chat groups and can push out network-wide patches in hours.
Older proof-of-work networks like Litecoin and Bitcoin rely on independent mining pools that choose when to upgrade, which works for non-urgent changes but creates a window of vulnerability when a security patch needs to reach everyone before an attacker can exploit the gap.
The Litecoin Foundation has not publicly addressed the GitHub timeline as of Sunday morning.
The amount of LTC anticipated during the invalid block window and the value of any swaps completed prior to the restructuring have not been disclosed.