Litecoin’s 13-Block Reorg: MWEB Exploit and a Disclosure Problem

Litecoin suffered a 13-block chain reorganization on April 25, 2026, after attackers exploited a vulnerability in its MimbleWimble Extension Blocks privacy layer, erasing roughly 32 minutes of network history. The Litecoin Foundation called it a zero-day. The GitHub commit log says otherwise. LTC is trading at $55.37, down 1.65% over the past 24 hours.

What the Attack Actually Looked Like

The mechanics were precise and premeditated. Attackers launched a denial-of-service assault against major mining pools running updated software, suppressing their hashrate and handing temporary chain control to older, unpatched nodes. Those vulnerable nodes accepted invalid MWEB peg-out transactions, allowing coins from the privacy layer to be moved to the main chain without proper validation. According to The Block’s reporting, that fork window lasted more than three hours, during which attackers attempted double-spends against cross-chain swap protocols. One estimate places losses from those protocols at around $600,000. Once the DoS ceased, the patched miners reclaimed the longest valid chain and the invalid transactions were wiped from Litecoin’s history, though any external system that settled against those transactions during the window remained exposed.

Market OverviewTop 10 by market cap

1Bitcoin BTC$64,193.00▲1.46%

2Ethereum ETH$1,679.13▲1.07%

3Tether USDT$0.9994▲0.04%

4BNB BNB$609.17▲0.64%

5USDC USDC$0.9998▼0.01%

6XRP XRP$1.15▲1.88%

7Solana SOL$67.95▲1.78%

8TRON TRX$0.3168▲1.38%

9Figure Heloc FIGR_HELOC$1.03▲0.08%

10Dogecoin DOGE$0.0882▲1.71%

Prices via CoinGecko · Updated just now

The “Zero-Day” Label Is Doing a Lot of Heavy Lifting

Here is where the narrative gets uncomfortable. A zero-day vulnerability is, by definition, unknown to defenders at the time of attack. Security researcher bbsz, affiliated with the SEAL911 emergency response group, pulled the public commit history from the litecoin-project GitHub repository and found that the consensus flaw enabling the invalid peg-out was privately patched between March 19 and March 26, more than four weeks before the exploit. A separate denial-of-service vulnerability was patched on the morning of April 25, the same day as the attack, and both fixes were bundled into release 0.21.5.4 that afternoon, after the attack had already begun. “The post-mortem says one zero-day caused a DoS that let an invalid MWEB transaction slip through,” bbsz wrote. “The git log tells a slightly different story.”

Aurora CTO Alex Shevchenko added that blockchain data showed the attacker pre-funded a wallet 38 hours before the exploit via a Binance withdrawal, with the destination address already configured to swap LTC into ETH on a decentralized exchange. That is not opportunism. That is planning. The Litecoin Foundation had not publicly addressed the GitHub timeline as of Sunday. CoinDesk’s analysis of the commit history aligns with bbsz’s account. When two independent sources reconstruct the same timeline from public data and it contradicts the official post-mortem, the credibility problem belongs to the foundation, not the researchers.

The real story here is not that Litecoin got hit. Exploits happen. The story is the gap between a private patch and universal deployment, a structural vulnerability that older proof-of-work networks carry by design. Independent mining pools choose when to upgrade. That works fine until it doesn’t. The attacker apparently knew exactly which pools had updated and which hadn’t, then built the attack around that asymmetry. Sentiment in crypto forgives a lot, but it rarely forgives being told something that the public GitHub disproves within hours.