Table of Contents
ToggleThe Litecoin network experienced a security incident on the 25th: an input validation vulnerability affecting the MWEB (MimbleWimble Extension Blocks) protocol layer was triggered, causing 13 blocks to be reorganized consecutively over a period of more than 3 hours. Litecoin's normal block generation rate is one block every 2.5 minutes.
Initially, on-chain monitoring tools issued anomaly alerts, leading some observers to mistakenly identify it as a 51% attack. After confirmation by the core development team, the root cause was determined to be a logical vulnerability in the MWEB protocol itself, rather than external computing power hijacking.
Core vulnerability: MWEB kernel sum imbalance
According to Litecoin's official announcement , the main vulnerability in this incident (commit 1dcbf3f ) allowed the MWEB kernel sum to become unbalanced, directly compromising the integrity of MWEB's input and output accounting. Attackers could use this to unlock coins in MWEB and transfer them to third-party decentralized exchanges (DEXs).
In the official announcement, developer Loshan stated: "This release includes important security updates, and all node operators and wallet users are strongly advised to upgrade (ASAP) as soon as possible."
v0.21.5.4 also patched several related security issues:
Added dual verification of input commitment and public key for MWEB input (commit e7cbf1d ) to provide additional defense depth; fixed the kernel fee integer overflow issue during MWEB transaction verification ( 42e7071 ); cleared block data of mutated blocks to prevent miner DoS ( 742ee94 ); miners no longer include MWEB transactions when the sum of input/output commitments is zero ( f423a84 ).
NEAR Intents: $600,000 in damages, promising to compensate users.
NEAR Intents has publicly stated that the blockchain reorganization has exposed approximately $600,000 in assets on its platform to potential risks. NEAR Intents has pledged to compensate affected users and has suspended related LTC services pending network stability confirmation.
The network returned to normal consensus later that day, and all the aforementioned vulnerabilities were patched after the official release of v0.21.5.4.
Ecological robustness background: MWEB coverage exceeds 90%
Since its launch in 2022, MWEB has achieved a node support rate of over 90% and a total balance of 260,000 LTC, making it a core pillar of Litecoin's network privacy features. This vulnerability involves the protocol-level accounting logic, and its impact is not limited to specific wallets; all nodes running older versions are at risk.
In addition, v0.21.5.4 also includes stability fixes: including data corruption issues during PMMR rewind ( 23e5eac ), improved MMR file write durability, the addition of MWEB view keys to the dumpwallet output, and a fix for Boost >= 1.78 compatibility issues.
Currently, LTC is priced at approximately $56.26. In March of this year, the SEC-CFTC joint framework classified LTC as a "digital good," leading to continued inflows into the Spot LTC ETF; the LitecoinVM zero-knowledge summary testnet also launched in early April. This security incident was a sudden event at the protocol layer, and the development team has responded quickly; the long-term ecosystem development direction remains unchanged.
Official GitHub release page: v0.21.5.4 Release Notes
Related reports
Speculation on next year's halving? Litecoin surges 37% intraday, breaking the bear market silence.
Zcash surged 15 times in three months, becoming the "encrypted version of Bitcoin"?
