Litecoin suffered an emergency rollback after being hit by a double-spend attack. Security researchers refute the "zero-day vulnerability" claim.

Original Author: Claude, TechFlow from Shenzhen

Overview: Litecoin faced a coordinated attack on April 25, where a vulnerability in the MWEB privacy layer was exploited. The attacker executed invalid transactions through un-updated nodes and carried out double-spending on cross-chain protocols within approximately 32 minutes. NEAR Intents reported a risk exposure of about $600,000. The network performed a 13-block reorganization to restore the chain state, but security researchers discovered the vulnerability had been silently patched 37 days prior, raising questions about the classification as a "zero-day attack." The official account later mocked critics, telling them to "stay in the shallow end," which sparked strong backlash from the community.

The Litecoin network experienced its first major security incident since activating MWEB (MimbleWimble Extension Blocks, Litecoin's privacy transaction layer) in 2022. The attacker exploited a consensus vulnerability in the MWEB layer, combined with a Denial-of-Service (DoS) attack on mining pools, to create a forked chain containing invalid transactions within about 32 minutes. They then exploited the window to execute double-spending attacks on multiple cross-chain protocols.

According to a report by The Block on April 26, Aurora Labs CEO Alex Shevchenko was the first to flag this anomaly on platform X, describing it as a "coordinated attack" involving blocks #3,095,930 to #3,095,943, with the recovery process taking over three hours.

Attack Executed in Two Steps: Paralyze Mining Pools First, Then Exploit Un-updated Nodes

According to an official statement released by the Litecoin Foundation on April 25, the attack path can be broken down into two stages.

The first step was launching a DoS attack on major mining pools to reduce the hashrate share of nodes running the updated client. The second step involved exploiting a consensus vulnerability in the MWEB layer to inject an invalid MWEB transaction into nodes still running the old software. These un-updated nodes incorrectly treated the transaction as valid, allowing the attacker to "peg out" funds from the MWEB privacy layer to the main chain and route the funds to third-party decentralized exchanges.

Shevchenko further disclosed the attacker's on-chain traces: the attacker planned to exchange LTC for ETH, and the address used was funded from Binance 38 hours before the attack occurred. He assessed that the attacker had prior knowledge of the vulnerability.

Under normal circumstances, Litecoin's block time is about 2.5 minutes, meaning 13 blocks should be produced in approximately 32 minutes. However, producing these 13 blocks took over three hours. This anomaly initially led some observers to mistakenly attribute the event to a 51% attack. In reality, once the DoS attack ceased, nodes running the updated code regained the hashrate advantage, and the network automatically completed a 13-block reorganization, removing the invalid transactions from the main chain. The Litecoin Foundation stated that all legitimate transactions during the reorganization were unaffected.

Cross-Chain Protocols Bear the Brunt, NEAR Intents Reports $600K Exposure

The attacker exploited the fork window to execute double-spending transactions on multiple cross-chain swap protocols. These protocols accepted the MWEB peg-out transactions that were later reversed by the reorganization, resulting in actual losses.

Shevchenko posted on platform X that NEAR Intents faced an exposure of approximately $600,000, and his team would cover user losses. He also warned all exchanges accepting LTC to audit their transaction records and holdings, as a large number of double-spending transactions existed on-chain.

According to Bitcoin News, after Litecoin confirmed the removal of the invalid transactions from the main chain, the actual settlement loss for NEAR Intents might be lower than the initial estimate. However, as of press time, the protocol had not issued any subsequent statement. Other cross-chain protocols that had paused LTC-related services were also reassessing their risk exposures.

The Litecoin Foundation did not disclose the names of the affected mining pools, nor did it reveal the amount of LTC the invalid MWEB transaction attempted to create.

An Old Problem for PoW Networks: Upgrades Rely on Voluntarism, Security Depends on Luck

Zcash founder Zooko Wilcox commented after the incident that such rollback-plus-double-spending attacks are not unique to PoW networks, citing similar incidents with Monero and Grin in recent years. In September 2025, Monero experienced its largest block reorganization in 12 years, rolling back 18 blocks and invalidating 117 transactions.

According to CoinDesk analysis, this event exposed a structural contradiction in PoW networks: Bitcoin and Litecoin lack a mandatory update mechanism, allowing nodes to run old versions indefinitely. While this design has philosophical value for decentralization, it creates a critical window of vulnerability when security patches need to reach everyone before attackers can exploit a flaw.

According to Yahoo Finance analysis, Litecoin's smaller hashrate size and lower security budget make it more vulnerable to attacks than Bitcoin. Rolling back 13 blocks on the Bitcoin network would require controlling over 50% of the hashrate, costing billions of dollars. However, on Litecoin, a single vulnerability combined with a DoS attack is sufficient to cause a reorganization of the same depth.

Official PR Blunder: Mocking Critics to "Stay in the Shallow End," Solana Fires Back

The subsequent handling of the incident may have caused more damage to trust than the attack itself.

On April 26, the official Litecoin X account posted: "It’s obvious some of you have zero understanding of PoW, hashrate, uptime, reorganizations, and miner/chain relationships. Stay in the shallow end. It’s safer for you there."

According to Bitcoin News, the post garnered hundreds of hostile replies. Users criticized it as "arrogant," "childish," and "unprofessional." One person wrote, "I've held your coin for years, and this is what you post?" The community expected technical transparency and post-mortem analysis, not mockery.

The official Solana account also joined the fray. Under discussions related to the reorganization on April 25, @solana replied: "How was your weekend, little guy?" The community interpreted this as a direct retaliation for Litecoin's past derision of Solana's history of outages.

LTC was quoted at around $56 after the incident was disclosed, down about 1% for the day and approximately 25% year-to-date. The market's immediate reaction to the event was relatively muted.

The DeFi Security Dilemma of 2026: Cross-Chain Infrastructure Remains the Biggest Attack Surface

According to data from The Block, by mid-April 2026, DeFi protocols had lost over $750 million due to various attacks. This includes the Kelp DAO bridge attack on April 19 ($292 million) and the attack on the Solana perpetuals platform Drift on April 1 ($285 million). Most major incidents involve cross-chain infrastructure, mirroring the method used in this Litecoin attack, where the attacker cashed out via cross-chain swap protocols.

The Litecoin incident once again demonstrates that the confirmation number problem faced by cross-chain protocols when accepting PoW chain assets is more severe than previously anticipated. When a vulnerable client release can trigger a 13-block reorganization, whether six confirmations are sufficient for security is no longer just a theoretical question.