Litecoin Suffers Double-Spending Attack, Emergency Rollback Implemented; “Zero-Day Vulnerability” Claim Refuted by Security Researcher
TechFlow Selected TechFlow Selected
Litecoin Suffers Double-Spending Attack, Emergency Rollback Implemented; “Zero-Day Vulnerability” Claim Refuted by Security Researcher
The official account later mocked critics as “staying in the shallow waters,” triggering a strong backlash from the community.
Navigating Web3 tides with focused insightsAuthor: Claude, TechFlow
TechFlow Summary: On April 25, Litecoin suffered a coordinated attack. A vulnerability in the MWEB privacy layer was exploited, enabling attackers to execute invalid transactions via unpatched nodes and perform double-spending attacks across cross-chain protocols within approximately 32 minutes. NEAR Intents reported ~$600,000 in exposure. The network executed a 13-block reorganization to restore chain state—but security researchers discovered the vulnerability had already been privately patched 37 days earlier, casting doubt on the “zero-day” characterization. Following the incident, the official account mocked critics with “Stay in the shallow end,” triggering strong community backlash.
On April 25, the Litecoin network experienced its first major security incident since the activation of MWEB (MimbleWimble Extension Blocks)—Litecoin’s privacy transaction layer—in 2022. Attackers exploited a consensus vulnerability in the MWEB layer, combined with a denial-of-service (DoS) attack against mining pools, to forge a forked chain containing invalid transactions within roughly 32 minutes—and executed double-spending attacks across multiple cross-chain protocols during this window.
According to a report by The Block on April 26, Alex Shevchenko, CEO of Aurora Labs, first flagged the anomaly on X, characterizing it as a “coordinated attack” involving blocks #3,095,930 through #3,095,943. The recovery process took over three hours.
The attack unfolded in two phases: first disabling mining pools, then exploiting unpatched nodes
Per an official statement released by the Litecoin Foundation on April 25, the attack path consisted of two stages.
The first stage involved launching a DoS attack against major mining pools, reducing the proportion of hashing power contributed by nodes running updated clients. The second stage exploited a consensus vulnerability in the MWEB layer to inject an invalid MWEB transaction into nodes still running outdated software. These unpatched nodes incorrectly treated the transaction as valid, allowing attackers to “peg out” funds from the MWEB privacy layer to the main chain and route them to third-party decentralized exchanges.
Shevchenko further disclosed on-chain traces of the attacker: the attacker planned to swap LTC for ETH, and the address used had received funds from Binance 38 hours before the attack. He concluded the attacker had prior knowledge of the vulnerability.
Under normal conditions, Litecoin produces a block every ~2.5 minutes, so 13 blocks should take ~32 minutes. Yet this time, producing those 13 blocks took over three hours—an anomaly that initially led some observers to misclassify the event as a 51% attack. In reality, once the DoS attack ceased, nodes running updated code regained hashing power dominance, and the network automatically performed a 13-block reorganization—removing the invalid transactions from the main chain. The Litecoin Foundation stated that all legitimate transactions processed during the reorganization remained unaffected.
Cross-chain protocols bore the real losses; NEAR Intents reports $600,000 exposure
Attackers leveraged the fork window to conduct double-spending transactions across multiple cross-chain swap protocols. These protocols accepted the MWEB peg-out transactions later invalidated by the reorganization—resulting in actual financial losses.
In a post on X, Shevchenko stated NEAR Intents’ exposure amounted to ~$600,000, and its team would cover user losses. He also warned all platforms accepting LTC to audit their transaction records and positions, as numerous double-spent transactions appeared on-chain.
According to Bitcoin News, after Litecoin confirmed the invalid transactions had been removed from the main chain, NEAR Intents’ actual settlement loss may fall below the initial estimate—but as of press time, the protocol had yet to issue a follow-up statement. Other cross-chain protocols that suspended LTC-related services were also reassessing their exposure.
The Litecoin Foundation did not disclose the names of affected mining pools or the amount of LTC the invalid MWEB transaction attempted to mint.
A longstanding PoW problem: Upgrades are voluntary; security is probabilistic
Zooko Wilcox, founder of Zcash, commented post-incident that rollback-and-double-spend attacks are not isolated incidents in PoW networks—Monero and Grin have both suffered similar events in recent years. In September 2025, Monero underwent its largest block reorganization in 12 years, rolling back 18 blocks and invalidating 117 transactions.
Per CoinDesk analysis, this incident exposed a structural contradiction inherent to PoW networks: Bitcoin and Litecoin lack mandatory upgrade mechanisms—nodes can run outdated software indefinitely. While philosophically aligned with decentralization, this design becomes critically dangerous when security patches must reach all participants *before* attackers exploit a vulnerability—creating a fatal window of exposure.
Yahoo Finance analysis notes Litecoin’s relatively small hash rate and lower security budget make it more vulnerable than Bitcoin. Rolling back 13 blocks on Bitcoin requires controlling >50% of the network’s hash rate—at a cost measured in billions of dollars—whereas on Litecoin, a single vulnerability plus a DoS attack sufficed to trigger a reorganization of equivalent depth.
Official PR disaster: Mocking critics as “staying in the shallow end”; Solana fires back
The aftermath management may have inflicted greater reputational damage than the attack itself.
On April 26, the official Litecoin X account posted: “It’s obvious that some of you know nothing about PoW, hash rate, uptime, reorgs, or miner/chain relationships. Stay in the shallow end—it’s safer for you.”
Per Bitcoin News, the post drew hundreds of hostile replies. Users criticized it as “arrogant,” “immature,” and “unprofessional.” One wrote: “I’ve held your coin for years—this is what you post?” The community expected technical transparency and a post-mortem—not mockery.
The Solana official account joined the exchange. Under a discussion thread about the April 25 reorganization, @solana replied: “How was your weekend, little guy?” The community interpreted this as a direct retort to Litecoin’s repeated past jabs at Solana’s historical outages.
At the time of disclosure, LTC traded around $56—down ~1% on the day and ~25% year-to-date. Market reaction to the incident was relatively muted.
The 2026 DeFi security crisis: Cross-chain infrastructure is the largest attack surface
Per The Block data, DeFi protocols lost over $750 million to various attacks between January 2026 and mid-April. This includes the April 19 Kelp DAO bridge hack ($292 million) and the April 1 Drift perpetuals platform attack on Solana ($285 million). Most major incidents involved cross-chain infrastructure—mirroring the method used by the Litecoin attackers to cash out via cross-chain swap protocols.
The Litecoin incident underscores how severely the confirmation-number challenge confronts cross-chain protocols when accepting assets from PoW chains. When releasing a vulnerable client version alone can trigger a 13-block reorganization, whether six confirmations remain sufficient for safety is no longer a theoretical question.
Join TechFlow official community to stay tuned
Telegram:https://t.me/TechFlowDaily
X (Twitter):https://x.com/TechFlowPost
X (Twitter) EN:https://x.com/BlockFlow_News
深潮TechFlow
