Litecoin MWEB Exploit Postmortem

Litecoin MWEB Exploit — April 25, 2026 Post-Mortem (Aggregated)

The Incident

On April 25, 2026, Litecoin suffered a 13-block chain reorganization triggered by an exploit of its MimbleWimble Extension Block (MWEB) privacy layer. The fork stretched from block 3,095,930 to block 3,095,943 and rewound roughly 32 minutes of network activity, taking more than three hours to resolve. The attacker faked a peg-out of 85,034 LTC out of the MWEB privacy extension before developers froze the funds.

How the Attack Worked

The attacker exploited a previously fixed-but-not-yet-broadcast consensus bug in MWEB's peg-out path, combined with a denial-of-service vulnerability that disrupted mining pools running updated software. The DoS forced the network to rely on nodes that had not yet installed the patch. Those unpatched nodes accepted an invalid MWEB transaction that pegged coins out of the privacy extension. During that window, attackers executed double-spend attacks against cross-chain swap services that had already accepted the invalid MWEB peg-out as final.

The Core Technical Issue

The consensus fix for the underlying MWEB peg-out vulnerability was privately discovered and patched between March 19 and March 26, 2026 — roughly 37 days before the April 25 attack. The patch had been sitting in Litecoin's GitHub commit history for a month but was never broadcast publicly nor made a mandatory upgrade for mining pools, leaving a non-trivial fraction of the network vulnerable. Litecoin Core v0.21.5.4 was released on April 25 to address the mutated-block stall.

Cross-Chain Loss

NEAR Intents, the cross-chain swap router, accepted the attacker's MWEB-pegged-out LTC as final and swapped 11,000 LTC for 7.78814476 BTC before the reorg rolled back the LTC side. The 11,000 LTC were not present on the valid chain after the reorg, leaving NEAR Intents with a confirmed loss. NEAR co-founder Illia Polosukhin publicly stated the cross-chain bridge faced approximately $600,000 in exposure from the incident. NEAR Intents pledged to compensate affected users and temporarily suspended its LTC services.

Disputed "Zero-Day" Framing

Litecoin's initial public statement described the issue as a zero-day, but GitHub commit history showed the fix had been in place for 37 days prior. Independent researchers argued this was therefore not a zero-day in the strict sense — the vulnerability was known, the patch existed, but the rollout was not mandated.