Litecoin, a Level 1 Proof-of-Work (PoW) blockchain network, suffered a zero-day vulnerability attack on Saturday, causing a reorganization of 13 blocks on the chain, the Litecoin team said, while other developers said the vulnerability may have been known beforehand.
According to an update from the Litecoin team, the vulnerability launched a denial-of-service (DoS) attack on mining pools running the newly updated software, suppressing their computing power.
The team stated that this allows older nodes to "peg out" tokens to decentralized exchanges and cross-chain exchange protocols, resulting in invalid transactions being written into the network's MimbleWimble Extension Blocks (MWEB) privacy layer.
The Litecoin team stated that the updated node eventually regained control of the network's hash power, executed a 13-block reorganization, and rolled back invalid transactions that would not appear on the main chain. The vulnerability has now been fully patched.
This incident comes at a time when the number of zero-day vulnerabilities is rising—vulnerabilities in code that software developers are unaware of at the time of product release but which can be exploited—as AI systems like Anthropic's Claude Mythos outperform humans in identifying such attack surfaces.
Some people may have known about the software vulnerability in advance.
According to Alex Shevchenko, co-founder of the Layer 2 scaling network Aurora.sayEarlier this week, a Binance address provided funds to the attacker, suggesting that the attack may have been pre-planned and that the attacker was aware of the code vulnerability beforehand. He said:
"The protocol automatically handled the reorganization after the DoS stopped, which is good, indicating that some computing power was actually running the updated code. Therefore, this vulnerability is known and is not a zero-day vulnerability."
Blockchain developer Vadim later stated, "The timing and target of the attack indicate that this was not a random opportunity." He added, "Low-hashrate layer-one networks are no longer secure collateral for cross-chain value."
Cross-chain bridges, responsible for transferring digital assets between different blockchain protocols, have long been a major attack surface in the crypto space, causing billions of dollars in losses over the years.
A recent high-profile cross-chain bridge vulnerability case was the attack on the Kelp restaking protocol on April 18, which resulted in the platform losing approximately $293 million earlier this month.
