Litecoin Suffers Double-Spend Attack and Emergency Rollback; Security Researchers Refute "Zero-Day Vulnerability" Claims

Original Author: Claude, TechFlow (Shenzhen)

Overview: On April 25, Litecoin suffered a coordinated attack exploiting a vulnerability in the MWEB privacy layer. The attacker executed invalid transactions through un-updated nodes and conducted double-spending on cross-chain protocols within approximately 32 minutes, with NEAR Intents reporting an exposure of around $600,000. The network performed a 13-block reorg to repair the chain state, but security researchers found the vulnerability had been privately patched 37 days prior, questioning the "zero-day attack" characterization. The official account later taunted critics to "stay in the shallow end," sparking strong community backlash.

On April 25, the Litecoin network experienced its first major security incident since activating MWEB (MimbleWimble Extension Block, Litecoin's privacy transaction layer) in 2022. The attacker exploited a consensus vulnerability in the MWEB layer, combined with a denial-of-service (DoS) attack on mining pools, to create a forked chain containing invalid transactions over approximately 32 minutes. During this window, they executed double-spending attacks on multiple cross-chain protocols.

According to The Block on April 26, Aurora Labs CEO Alex Shevchenko first flagged the anomaly on X platform, characterizing it as a "coordinated attack" involving blocks #3,095,930 to #3,095,943, with recovery taking over three hours.

Attack Executed in Two Steps: First Cripple Mining Pools, Then Exploit Un-Updated Nodes

According to an official statement from the Litecoin Foundation on April 25, the attack path can be divided into two phases.

The first step involved launching a DoS attack on major mining pools, reducing the hashrate share of nodes running updated client software. The second step exploited a consensus vulnerability in the MWEB layer, injecting an invalid MWEB transaction into nodes still running the old software version. These un-updated nodes erroneously treated the transaction as valid, allowing the attacker to "peg out" funds from the MWEB privacy layer (transferring funds from the privacy layer to the main chain) and route them to third-party decentralized exchanges.

Shevchenko further disclosed the attacker's on-chain traces: The attacker planned to swap LTC for ETH, using an address that received funds from Binance 38 hours before the attack. He assessed that the attacker had prior knowledge of the vulnerability.

Under normal conditions, Litecoin produces blocks approximately every 2.5 minutes, meaning 13 blocks should be generated in about 32 minutes. However, this time, the 13 blocks took over three hours, initially leading some observers to mistakenly believe it was a 51% attack. In reality, once the DoS attack stopped, nodes running the updated code regained hashrate superiority, and the network automatically completed a 13-block reorg, removing the invalid transaction from the main chain. The Litecoin Foundation stated that all legitimate transactions during the reorg were unaffected.

Cross-Chain Protocols Become the Actual Victims, NEAR Intents Reports $600,000 Exposure

The attacker exploited the fork window to execute double-spending transactions on multiple cross-chain swap protocols. These protocols accepted the MWEB peg-out transactions that were later reorged out, resulting in actual losses.

Shevchenko posted on X that NEAR Intents had an exposure of approximately $600,000, and their team would cover user losses. He also warned all exchanges accepting LTC to audit their transaction records and holdings, as there were numerous double-spending transactions on-chain.

According to Bitcoin News, after Litecoin confirmed the invalid transactions were removed from the main chain, NEAR Intents' actual settlement losses might be lower than the initial estimate, but the protocol had not released a follow-up statement as of press time. Other cross-chain protocols that paused LTC-related services were also reassessing their risk exposure.

The Litecoin Foundation did not disclose the names of the affected mining pools nor the amount of LTC the invalid MWEB transaction attempted to create.

An Old Problem for PoW Networks: Upgrades Rely on Voluntarism, Security Depends on Luck

Zcash founder Zooko Wilcox commented after the incident that such rollback-plus-double-spending attacks are not unique to PoW networks, with Monero and Grin experiencing similar events in recent years. In September 2025, Monero underwent its largest block reorganization in 12 years, rolling back 18 blocks and invalidating 117 transactions.

According to CoinDesk analysis, this event exposed a structural contradiction in PoW networks: Bitcoin and Litecoin lack a forced update mechanism, allowing nodes to run old software indefinitely. While this design has value in its decentralization philosophy, it creates a fatal window when security patches need to reach everyone before an attacker exploits the vulnerability.

According to Yahoo Finance analysis, Litecoin's smaller hashrate and lower security budget make it more vulnerable to attacks than Bitcoin. Rolling back 13 blocks on the Bitcoin network requires controlling over 50% of the hashrate, costing billions of dollars; but on Litecoin, a single vulnerability combined with a DoS attack is sufficient to cause a reorg of equal depth.

Official PR Backfires: Taunting Critics to "Stay in the Shallow End," Solana Strikes Back

The subsequent handling of the incident may have caused more trust damage than the attack itself.

On April 26, Litecoin's official X account posted: "Some of you clearly know nothing about PoW, hashrate, uptime, reorgs, and miner/chain relationships. Stay in the shallow end, it's safer for you there."

According to Bitcoin News, the post drew hundreds of hostile replies. Users criticized it as "arrogant," "immature," and "unprofessional." One user wrote, "I've held your coin for years, and this is what you post?" The community expected technical transparency and post-mortem analysis, not sarcasm.

The Solana official account also joined the interaction. Under discussions regarding the April 25th reorg, @solana replied: "How was your weekend, little guy?" The community interpreted this as a direct counterpunch to Litecoin's previous history of mocking Solana's downtime.

LTC was trading at approximately $56 following the incident disclosure, down about 1% on the day and approximately 25% year-to-date. The market's immediate reaction to the event was relatively muted.

The 2026 DeFi Security Dilemma: Cross-Chain Infrastructure Becomes the Biggest Attack Vector

According to The Block data, DeFi protocols have lost over $750 million to various attacks as of mid-April 2026. This includes the April 19th Kelp DAO bridge attack ($292 million) and the April 1st attack on Solana perpetuals platform Drift ($285 million). Most major incidents involve cross-chain infrastructure, mirroring the method used by this Litecoin attacker to cash out through cross-chain swap protocols.

The Litecoin incident once again demonstrates that the confirmation number issue faced by cross-chain protocols when accepting PoW chain assets is more severe than anticipated. When a vulnerable client release can trigger a 13-block reorganization, whether 6 confirmations are secure enough is no longer a theoretical question.