Litecoin recently faced a significant security breach on April 25, when a vulnerability in its MWEB privacy layer was exploited, leading to a double-spend attack. The attacker targeted un-updated nodes to execute invalid transactions across cross-chain protocols, causing a financial risk of approximately $600,000. The network underwent a 13-block reorganization to rectify the issue, though it was revealed that the vulnerability had already been patched 37 days earlier, sparking debate over its classification as a “zero-day attack.” The incident marked Litecoin’s first major security breach since the activation of its MWEB layer in 2022. The attack involved a two-step process: initially paralyzing mining pools with a DoS attack, followed by exploiting the MWEB layer vulnerability. This led to invalid transactions being treated as legitimate by un-updated nodes, allowing the attacker to funnel funds to decentralized exchanges. The attacker’s actions were traced back to an address funded from Binance prior to the attack, indicating premeditated knowledge of the vulnerability. Despite some initial confusion attributing the event to a 51% attack, the network successfully reorganized to eliminate the invalid transactions, leaving legitimate transactions unaffected. The attacker capitalized on this window to execute double-spending transactions, particularly affecting cross-chain protocols like NEAR Intents, which reported a $600,000 exposure. Although the Litecoin Foundation did not disclose specific details about affected mining pools or the volume of LTC involved, the incident highlighted the challenges faced by PoW networks in ensuring security updates reach all nodes promptly. The official response from Litecoin, which mocked critics, drew significant backlash from the community, further exacerbating trust issues. This event underscores the vulnerabilities within DeFi’s cross-chain infrastructure, which remains a prominent target for attackers.
Was Litecoin’s recent double-spend attack truly a zero-day vulnerability?
