A chain reorganization of 13 blocks on On Friday evening and Saturday, approximately 32 minutes of network activity was restored after attackers used a vulnerability in its Mimblewimble Extension Block (MWEB) protocol.
The bug had enabled a denial of service attack against major mining pools, allowing invalid MWEB transactions to pass through nodes that had not been updated, before the longest valid chain in the network corrected them.
The Foundation said on Sunday, an Asian morning, that the bug had been fully fixed and the network was functioning normally.
However, prominent researchers say the Litecoin project’s GitHub repository tells a different story. Security researcher bbsz, who works with the SEAL911 emergency response group for cryptographic exploits, published the patch timeline taken from the public commit log.
Now that this information has been made public on Litecoin GitHub, we have a better idea of the timeline and what happened.
In the Age of Mythos, this timeline simply doesn’t work.
The autopsy indicates that a zero day caused a DoS that passed an invalid MWEB transmission. The git connects… pic.twitter.com/O3DtdwV0rF
–bbsz (@blackbigswan) April 26, 2026
The consensus vulnerability that allowed invalid MWEB pairing was privately patched between March 19 and 26, approximately four weeks before the attack. A separate denial of service vulnerability was fixed on the morning of April 25.
Both fixes were integrated into version 0.21.5.4 the same afternoon, after the attack had already begun.
“The postmortem indicates that a zero day caused a DoS that passed an invalid MWEB transaction,” bbsz wrote. “The git log tells a slightly different story.”
A zero-day refers to a vulnerability unknown to defenders at the time of an attack.
Litecoin’s validation history shows that the consensus vulnerability was known and privately patched a month before the exploit, but the patch had not been publicly released or required for all mining pools.
This created a window in which some miners ran the patched code while others ran the still-vulnerable version, and the attackers seemed to know which was which.
Alex Shevchenko, technical director of the NEAR Foundation’s Aurora Project, raised parallel concerns in a discussion thread.
Blockchain data showed that the attacker had pre-funded a wallet 38 hours before the exploit via a Binance withdrawal, with the destination address already set up to exchange LTC for ETH on a decentralized exchange.
The denial of service attack and the MWEB bug were separate components, Shevchenko explained, with DoS designed to take patched mining nodes offline so that unpatched ones formed the chain that included invalid transactions.
The fact that the network automatically handled the 13-block reorganization once DoS stopped suggests that enough hashrate was running updated code to ultimately defeat the attack, but only after the unpatched fork had been running for 32 minutes.
A hit on Litecoin shows how attacks on different networks differ in how code maintainers and developers respond to exploits. Newer chains with smaller, more centralized sets of validators coordinate upgrades through newsgroups and can push fixes out to the entire network within hours.
Older proof-of-work networks like Litecoin and Bitcoin rely on independent mining pools that choose when to upgrade, which works for non-urgent changes but creates a window of vulnerability when a security patch must reach everyone before an attacker exploits that loophole.
The Litecoin Foundation did not publicly address the GitHub timeline as of Sunday morning.
The amount of LTC set during the invalid lock window and the value of all swaps made before the reorganization canceled them have not been disclosed.
