Most Litecoin nodes ignore patch for double-spending bug
Earlier this year, a hacker tried to double-spend litecoin (LTC) before an emergency, 13-block reorganization thwarted the attack.
Even though developers have released a flurry of code patches to prevent a repeat, most of the Litecoin network’s nodes have still not installed the fix.
The patch has been available for free download for nearly two months. Nonetheless, of the nodes tracked by a major monitoring service, less than 30% are running up-to-date software that would reject the type of transactions behind April’s double-spending attempt.
Sadly, the largest cohort of node operators on the Litecoin network by software version run v0.21.4. This vulnerable version is live on roughly 39% of reachable nodes, most of which are non-mining.
Fortunately, most mining Litecoin nodes have updated their software, despite most validating nodes, which comprise the majority of the network, still operating with old, buggy code.
Read more: Bitcoin thieves got away with ATM double-spending spree across Canada
A post-incident review admitted that adoption of the patched software was a meager 23% after nearly two weeks of public release.
As weeks roll on, malformed transactions that triggered April’s reorg would still find a temporarily receptive majority today on the internet, even though miners wouldn’t be fooled and continue building on the correct chaintip.
The original vulnerability sat in Litecoin Core’s handling of MimbleWimble Extension Block (MWEB) transactions. MWEB is a Litecoin privacy layer the project activated in 2022.
Earlier this year, a malformed MWEB peg-out transaction allowed a tiny input to back a far larger withdrawal of LTC, effectively creating coins that should never have existed.
Nodes ignore the patch for Litecoin’s double-spending bug
It would be far more secure if most — or ideally all — nodes patched their software to reject invalid peg-out transactions containing unfairly minted LTC, but despite the fix being public for weeks, the network has declined or simply been too lazy to install it.
The major incident involving the exploit occurred on April 25. Non-upgraded mining nodes accepted an invalid MWEB transaction, and an attacker pegged out coins to third-party venues in an attempt to convert the fake LTC for other assets.
A 13-block reorganization beginning at block 3,095,931, documented in the post-mortem, fortunately reversed those transactions and wiped out roughly half an hour of blockchain activities.
The official Litecoin account admitted on social media, “A zero-day bug caused a DoS attack that disrupted major mining pools.” Litecoin creator Charlie Lee also posted about the double-spending attempt.
Litecoin node software developers shipped v0.21.5.4 the day after the reorg to stop the immediate threat of mining denial-of-service.
They soon followed with another patch in early May, v0.21.5.5, to add consensus-level MWEB validation hardening. Many node operators have simply ignored it.
Litecoin has a market cap of $3.4 billion. Its long-term security depends on software updates that most node operators have ignored for almost two months.
Got a tip? Send us an email securely via Protos Leaks. For more informed news and investigations, follow us on X, Bluesky, and Google News, or subscribe to our YouTube channel.