Litecoin Network Rewrites 13 Blocks After April 25, 2026 Denial-of-Service Zero-Day Exploit

Litecoin suffered a denial-of-service attack on April 25, 2026 that led the network to rewrite history through a 13-block chain reorganization, reversing invalid transactions tied to its MimbleWimble Extension Block (MWEB) privacy layer.

“Litecoin hit by denial-of-service attack, rewrites 13 blocks to reverse effect Litecoin's foundation called the weekend exploit a zero-day”

@coindesk

CoinDesk reported that the exploit rewound about 32 minutes of activity, with the reorganization ultimately returning to the valid chain once denial-of-service attacks on patched miners ceased.

@coindesk

The Block described the incident as a deep chain reorganization that followed attackers exploiting a zero-day vulnerability tied to MWEB, and said the Foundation stated the offending transactions were erased from Litecoin’s history.

Multiple outlets tied the disruption to mining nodes running older or non-updated software that accepted invalid MWEB transactions, enabling coins to be pegged out to third-party decentralized exchanges (DEXs).

Bitget similarly said the reorg reversed invalid transactions and that the issue stemmed from non-updated mining nodes processing invalid MWEB transactions.

CyberSecurityNews added that the invalid MWEB transaction enabled coins to be pegged out to third-party decentralized exchanges without proper authorization, bypassing standard transaction controls.

Across coverage, Litecoin’s response was consistent: a 13-block reorg discarded the invalid chain produced during the exploit window, while valid transactions processed during that period remained unaffected.

While Litecoin’s official messaging described the weekend exploit as a zero-day, CoinDesk reported that the litecoin-project GitHub repository shows the consensus vulnerability was privately patched between March 19 and March 26, more than four weeks before the attack.

CoinDesk said the foundation called the weekend exploit a zero-day, but that public GitHub commits show the core consensus bug was privately fixed weeks before the exploit, creating a window where some mining pools ran updated code while others remained vulnerable.

Bitcoin News

CoinDesk also reported that a separate denial-of-service vulnerability was patched on the morning of April 25, and that both fixes were rolled into release 0.21.5.4 the same afternoon after the attack had already begun.

The Block likewise said the Foundation said the bug is now fully patched, and it described the incident as the first known attack targeting MWEB since Litecoin activated the privacy extension via soft fork in May 2022.

CoinDesk added that the Litecoin Foundation had not publicly explained the patch timeline or disclosed how much LTC was affected during the invalid block window.

Bitget claimed Litecoin confirmed a zero-day bug triggered a denial-of-service attack on April 25, 2026 and said the exploit has been fully patched, with the network now operating normally.

CyberSecurityNews said the vulnerability has since been fully patched and urged node operators and mining pool administrators to immediately upgrade to the latest software version.

The incident drew direct commentary from crypto leaders and researchers about what the attack represented and how it worked.

“One of the oldest altcoins in the cryptocurrency market has been targeted by hackers, according to an official statement released today”

Bitcoin Sistemi

CoinDesk quoted Alex Shevchenko, CTO of NEAR Foundation's Aurora project, raising concerns in a thread and arguing that the denial-of-service attack and the MWEB bug were separate components, with the DoS designed to take patched mining nodes offline so unpatched ones would form the chain that included invalid transactions.

CoinDesk also described Shevchenko’s argument that blockchain data showed the attacker pre-funded a wallet 38 hours before the exploit through a Binance withdrawal, with the destination address already configured to swap LTC into ETH on a decentralized exchange.

The Block quoted Shevchenko calling the event a "coordinated attack" in the Foundation’s note, and it also reported that Shevchenko said, "The exposure for NEAR Intents is around $600k."

Zooko Wilcox, Zcash founder, wrote on Saturday that "This isn’t an isolated incident. There have been many of these rollback-and-double-spend attacks against Proof-of-Work-alone blockchains both years ago and recently, including recently against Monero and Grin," according to The Block.

Bitget quoted Zooko Wilcox as saying, "This isn’t an isolated incident… including recently against Monero and Grin," highlighting broader risks tied to outdated nodes in proof-of-work networks.

Across these voices, the common thread was that the exploit depended on patch adoption lag and on how attackers could exploit the gap between updated and non-updated mining nodes.

Coverage diverged on what to emphasize: whether the core issue was a true zero-day, the mechanics of the reorg, or the broader implications for proof-of-work security.

CoinDesk framed the story around the mismatch between the foundation’s zero-day characterization and the GitHub commit history, stating that the consensus vulnerability was privately patched between March 19 and March 26 and that the window allowed some mining pools to run updated code while others remained vulnerable.

bloomingbit

The Block focused on the Foundation’s explanation of the exploit mechanics and the reorg’s effect, saying the bug allowed mining nodes running older software to validate an invalid MWEB transaction and that attackers used the more than three-hour fork window to attempt double-spends against cross-chain swap protocols.

Bitcoin News emphasized Litecoin’s official confirmation and said the reorg was not attackers successfully rewriting history for profit, but instead "the network correcting a bug-driven exploit by discarding the invalid chain."

Bitget described the reorg as reversing invalid transactions and said the reorg initially suspected to be a 51% attack instead reflected the network discarding an invalid chain produced during the exploit window.

CyberSecurityNews highlighted the security angle, describing a critical zero-day vulnerability actively exploited to launch a denial-of-service attack that temporarily disrupted operations across major mining pools and that attackers crafted a malformed MWEB transaction that these non-updated nodes accepted as valid.

Bloomingbit described the incident in terms of voiding trades, saying Litecoin carried out a 13-block chain reorganization and voided all abnormal transactions that occurred during that period, with the affected transactions not included in the main chain.

The stakes described across the reporting centered on cross-chain exposure, the risk of trading venues and protocols that interacted with Litecoin during the invalid window, and the operational response required to prevent recurrence.

“Summary - Litecoin said a zero-day vulnerability triggered a denial-of-service (DoS) attack and affected some major mining pools”

bloomingbit

NEAR Intents was repeatedly cited as having estimated exposure around $600,000, with Bitget saying "NEAR Intents had estimated around $600,000 in exposure, though actual losses may be lower after the invalid transactions were removed from the main chain."

CoinDesk

The Block also reported that "The exposure for NEAR Intents is around $600k," and it said some trading venues have reported losses from the incident.

Bitcoin News similarly stated that NEAR Intents had originally reported approximately $600,000 in exposure and that with Litecoin confirming the invalid transactions were reversed and wiped from the main chain, the actual settled losses may be significantly lower than initially reported.

CyberSecurityNews said users and exchanges are not expected to experience any loss of funds related to the incident, according to the Litecoin development team’s post-incident statement.

Multiple outlets also emphasized patching and upgrades: CoinDesk said Litecoin Core v0.21.5.4 was released and that "All users are advised to upgrade," while CyberSecurityNews urged "Update all Litecoin nodes to the latest patched release immediately."

Finally, CoinDesk reported that the Litecoin Foundation had not publicly addressed the GitHub timeline as of Sunday morning and that the amount of LTC pegged out during the invalid block window and the value of any swaps completed before the reorganization reversed them had not been disclosed.