Points of Focus

• A zero-day bug in Litecoin’s MWEB privacy layer enabled a DDoS attack that knocked updated mining pools offline.
• GitHub commit records show Litecoin developers privately fixed the MWEB vulnerability between March 19 and 26.
• Once the DDoS pressure eased, upgraded miners recovered sufficient hash power to outpace the invalid chain.

A consensus bug in Litecoin’s Mimblewimble privacy layer let attackers push invalid transactions onto the chain on April 25, triggering a 32-minute rollback and raising pointed questions about patch disclosure, coordination failures, and whether six confirmations still mean what users think they do. 

On April 25th, Litecoin underwent a 13 block reorg after non updated mining nodes accepted invalid MWEB transactions. The chain reorganized the affected blocks and transparent UTXOs remained intact throughout.

ForceX performed an independent reconciliation across the window.… pic.twitter.com/v749fgkfjt

— ForceX (@ForceXHQ) April 26, 2026

What happened on the afternoon of April 25

Litecoin’s network underwent a 13-block reorganization on April 25 and the network attributed the incident to a zero-day vulnerability in its Mimblewimble Extension Blocks protocol. The flaw enabled a DDoS attack against major mining pools running recently updated software, temporarily suppressing their hash power.

With upgraded miners knocked offline, older non-patched nodes took control of block production and accepted invalid MWEB transactions, allowing attackers to peg out coins to decentralized exchanges and cross-chain swap protocols. 

Onchain timestamps showed those 13 blocks took more than three hours to generate, compared to the normal target of roughly 32 minutes at Litecoin’s 2.5-minute block time. 

Aurora Labs CEO Alex Shevchenko and onchain analyst Zacodil flagged the reorg earlier in the day, with observers initially interpreting the 13-block reorganization as a classic 51% attack.

Zero-day or an inside job?

1. From our data the attacker was planning to swap LTC into ETH on this address: 0xfF18652A84aAd4f99F464f6B58cE7Ad929F6Fc10
which was funded 38h ago from @binance. Attacker knew about the bug for some time.

2. DoS attack was just putting nodes down to… https://t.co/QCVMOaJTRO

— Alex Shevchenko 🇺🇦 (@AlexAuroraDev) April 25, 2026

How the network corrected itself

Once the DoS attack lessened, upgraded nodes regained hashing power and the correct chain reestablished itself as dominant. Litecoin performed a 13-block reorg to remove the bad transactions from the main chain, replacing them with clean blocks that did not include the malicious activity. All legitimate transactions processed during the window were preserved.

NEAR Intents had originally reported approximately $600,000 in exposure, saying its team would cover any user losses. With Litecoin confirming the invalid transactions were reversed and wiped from the main chain, actual settled losses may be significantly lower than initially reported. 

Litecoin Core v0.21.5.4 was released the same day as a mandatory upgrade, correcting MWEB input and output accounting, preventing the kernel fee overflow, and erasing block data for mutated blocks to avoid miner denial-of-service conditions. 

Litecoin Core v0.21.5.4 released! All users are advised to upgrade. This release contains important security updates. https://t.co/6vtrhdXi4c

— Litecoin (@litecoin) April 25, 2026

The patch timeline that complicates the zero-day claim

Public GitHub commits show the core consensus bug was privately fixed weeks before the exploit, creating a window in which some mining pools ran updated code while others remained vulnerable, a gap researchers say the attackers appeared to target. 

The review of the Litecoin-project GitHub repository revealed that core developers privately discovered and patched the MWEB consensus vulnerability between March 19 and 26, 2026, more than 37 days before the April 25 incident. The fix was never broadly required across miners and nodes, leaving the attack window open.

Now that stuff has been made public on the Litecoin GitHub, we have a better sense of timeline and what happened.

In the age of Mythos, this timeline simply doesn't fly.

The post-mortem says one zero-day caused a DoS that let an invalid MWEB tx slip through. The git log on… https://t.co/zMMrheQLPP pic.twitter.com/O3DtdwV0rF

— bbsz (@blackbigswan) April 26, 2026

The Litecoin Foundation has not yet explained the patch timeline or disclosed how much LTC was affected during the invalid block window.

A coordination problem proof-of-work cannot easily solve

Newer chains with smaller, more centralized validator sets coordinate upgrades through chat groups and can push patches network-wide in hours. Older proof-of-work networks like Litecoin rely on independent mining pools choosing when to upgrade, which works for non-urgent changes but creates a window of vulnerability when a security patch needs to reach everyone before an attacker exploits the gap. 

The 13-block reorg represents roughly 2.5 hours of history. Six confirmations may not be sufficient if a buggy client release can trigger a reorg of this depth, raising real questions about finality for cross-chain protocols that accept LTC settlement.

The official response that made things worse

On April 26, Litecoin’s official account posted: ‘Some of you know little to nothing about PoW, hash rate, uptime, reorgs, and miner/chain relationships and it shows. Stay on the shallow end of the pool. You’re safer over there.’ 

Users called the post salty, childish, and unprofessional. Solana’s official account replied to reorg-related discussion with ‘How’s your weekend going little buddy?’ widely read as payback for months of Litecoin jabs aimed at Solana’s prior outage history. 

How’s your weekend going little buddy? https://t.co/j4DzarJwnx

— Solana (@solana) April 25, 2026

The network’s technical recovery was real. Its communications posture ensured the story did not end there.