A 13-block chain reorganization on late Friday and Saturday, about 32 minutes of network activity was rolled back after hackers exploited a vulnerability in their Mimblewimble Extension Block (MWEB) protocol.
The flaw had enabled a denial-of-service attack against large mining pools, allowing the invalid MWEB transactions to slip through nodes that were not updated until the network’s longest valid chain corrected them.
The foundation said in Asian morning hours on Sunday that the fault had been fully fixed and that the network was operating normally.
However, prominent researchers say the litecoin project GitHub repository tells a different story. Security researcher bbsz, who works with the SEAL911 crypto exploits emergency response team, posted the patch timeline pulled from the public commit log.
Now that things have been published on the Litecoin GitHub, we have a better sense of the timeline and what happened.
In the age of Mythos, this timeline simply doesn’t fly.
The autopsy says that a zero-day caused a DoS that let an invalid MWEB tx slip through. Please log in… pic.twitter.com/O3DtdwV0rF
— bbsz (@blackbigswan) April 26, 2026
The consensus vulnerability that allowed the invalid MWEB association was patched privately between March 19 and March 26, approximately four weeks before the attack. A separate denial-of-service vulnerability was patched on the morning of April 25.
Both fixes were rolled into release 0.21.5.4 that afternoon, after the attack had already begun.
“The autopsy says a zero-day caused a DoS that allowed an invalid MWEB transaction to slip through,” bbsz wrote. “The Git log tells a slightly different story.”
A zero-day refers to a vulnerability unknown to defenders at the time of an attack.
Litecoin’s commit history shows that the consensus vulnerability was known and fixed privately a month before the exploit, but the fix had not been issued publicly or required for all mining pools.
That created a window where some miners ran the patched code while others ran the still-vulnerable version, and the attackers appear to have known which was which.
Alex Shevchenko, CTO of the NEAR Foundation’s Aurora project, raised parallel concerns in a thread.
Blockchain data showed that the attacker pre-funded a wallet 38 hours before the exploit through a Binance withdrawal where the destination address was already configured to exchange LTC for ETH on a decentralized exchange.
The denial-of-service attack and the MWEB flaw were separate components, Shevchenko argued, with the DoS designed to take patched mining nodes offline so that the unpatched ones would form the chain that included the invalid transactions.
The fact that the network automatically handled the 13-block reorganization once the DoS stopped suggests that enough hashrate was running updated code to eventually overpower the attack, but only after the unpatched fork had run for 32 minutes.
A hit on Litecoin shows how attacks on different networks differ in how code maintainers and developers respond to exploits. Newer chains with smaller, more centralized validation sets coordinate upgrades through chat groups and can push patches throughout the network in hours.
Older proof-of-work networks like Litecoin and bitcoin rely on independent mining pools to choose when to upgrade, which works for non-urgent changes, but creates a window of vulnerability when a security patch needs to reach everyone before an attacker exploits the hole.
The Litecoin Foundation has not publicly addressed the GitHub timeline as of Sunday morning.
The amount of LTC pegged out during the invalid lockout window and the value of any swaps completed before the reorganization returned them has not been disclosed.
