Author: Claude, Deep Tide TechFlow

Deep Tide Overview: Litecoin faced a coordinated attack on April 25, with a vulnerability in the MWEB privacy layer exploited. Attackers executed invalid transactions through outdated nodes in about 32 minutes and performed double-spending on cross-chain protocols, with NEAR Intents reporting an exposure risk of approximately $600,000. The network executed a 13-block reorganization to repair the chain state, but security researchers found that the vulnerability had been privately patched 37 days earlier, calling into question the characterization of a "zero-day attack." The official account sarcastically mocked critics for "staying in shallow water," leading to a strong backlash from the community.

The Litecoin network experienced its first major security incident since the activation of MWEB (MimbleWimble Extension Blocks, Litecoin's privacy transaction layer) in 2022 on April 25. Attackers exploited a consensus vulnerability in the MWEB layer combined with a denial-of-service attack on the mining pool to create a forked chain containing invalid transactions in about 32 minutes and executed double-spending attacks on multiple cross-chain protocols during the window of opportunity.

According to a report by The Block on April 26, Aurora Labs CEO Alex Shevchenko was the first to flag the anomaly on the X platform, characterizing it as a "coordinated attack" involving blocks #3,095,930 to #3,095,943, with the recovery process taking more than three hours.

The attack was executed in two steps: first paralyzing the mining pool, then exploiting outdated nodes

According to the official statement released by the Litecoin Foundation on April 25, the attack pathway can be divided into two stages.

The first step was to launch a DoS attack on major mining pools, lowering the hash rate proportion of nodes running the updated client. The second step involved exploiting a consensus vulnerability in the MWEB layer, injecting an invalid MWEB transaction to nodes still running the old software. These outdated nodes incorrectly treated the transaction as valid, allowing attackers to "peg out" (move funds from the privacy layer to the main chain) from the MWEB privacy layer and route funds to a third-party decentralized exchange.

Shevchenko further disclosed the on-chain traces of the attackers: they planned to exchange LTC for ETH, using an address that received funds from Binance 38 hours before the attack occurred. He assessed that the attackers had prematurely obtained information about the vulnerability.

Under normal circumstances, the interval for Litecoin block creation is about 2.5 minutes, meaning 13 blocks should be produced in roughly 32 minutes. However, this time the production of 13 blocks took more than three hours, initially leading some observers to misjudge it as a 51% attack. The reality was that once the DoS attack ceased, nodes running updated code regained the hash rate advantage, and the network automatically completed the 13 block reorganization, removing invalid transactions from the main chain. The Litecoin Foundation stated that all legitimate transactions during the reorganization were unaffected.

Cross-chain protocols became the actual victims, NEAR Intents reported a $600,000 exposure

During the fork window, attackers executed double-spending transactions on multiple cross-chain swap protocols. These protocols accepted the MWEB peg-out transactions that were later overturned by the reorganization, leading to actual losses.

Shevchenko posted on the X platform stating that NEAR Intents had an exposure risk of around $600,000, and their team would cover user losses. He also warned all trading platforms accepting LTC to audit transaction records and holdings due to a large number of double-spending transactions on the blockchain.

According to Bitcoin News, after Litecoin confirmed that invalid transactions had been removed from the main chain, the actual settlement loss for NEAR Intents might be less than initially estimated; however, as of the time of publication, the protocol had not released a subsequent statement. Other cross-chain protocols that suspended LTC-related operations were reassessing their exposure.

The Litecoin Foundation did not disclose the names of the affected mining pools or the amount of LTC that the invalid MWEB transactions attempted to create.

Old problems in PoW networks: upgrades rely on volunteers, security relies on luck

Zcash founder Zooko Wilcox commented after the incident that such rollbacks and double-spending attacks are not isolated cases in PoW networks, with Monero and Grin having faced similar events in recent years. In September 2025, Monero experienced its largest block reorganization in 12 years, with 18 blocks rolled back and 117 transactions rendered invalid.

According to analysis by CoinDesk, this event exposed a structural contradiction within PoW networks: Bitcoin and Litecoin do not have a mandatory update mechanism, allowing nodes to run outdated software indefinitely. This design has its value in decentralized philosophy, but when security patches need to reach everyone before an attacker can exploit a vulnerability, it creates a critical window.

According to Yahoo Finance's analysis, Litecoin's smaller hash rate and lower security budget make it more vulnerable to attacks than Bitcoin. Rolling back 13 blocks on the Bitcoin network requires controlling over 50% of the hash rate, costing billions of dollars; however, on Litecoin, one vulnerability coupled with a DoS attack is sufficient to create a reorganization of the same depth.

Official public relations backlash: mocking critics for "staying in shallow water," Solana strikes back

The aftermath of the incident may have caused greater damage to trust than the attack itself.

On April 26, the official Litecoin X account posted: "Some of you seem to know nothing about PoW, hash power, uptime, reorganizations, and miner/chain relationships; it's obvious. Stay in shallow water, it’s safer for you there."

According to Bitcoin News, this post triggered hundreds of hostile replies. Users criticized them for being "arrogant," "immature," and "unprofessional," with one person writing, "I've held your coin for years, and this is what you come up with?" The community expected technical transparency and post-incident analysis, not mockery.

The official Solana account also joined in this interaction. Under the discussions related to the reorganization on April 25, @solana replied, "How was your weekend, little buddy?" The community interpreted this as a direct retort to Litecoin's prior multiple mockeries of Solana's outage history.

As of the incident's disclosure, LTC was quoted at approximately $56, down about 1% on that day and down about 25% year-to-date. The market's immediate reaction to the incident was relatively muted.

The DeFi security dilemma in 2026: cross-chain infrastructure becoming the biggest attack surface

According to The Block data, by mid-April 2026, DeFi protocols had lost over $750 million due to various attacks. This includes the Kelp DAO bridging attack on April 19 ($292 million) and the Drift perpetual contract platform on Solana being attacked on April 1 ($285 million). Most significant events involved cross-chain infrastructure, similar to the method used by the Litecoin attackers to cash out via cross-chain swap protocols.

The Litecoin incident once again highlights that the confirmation issues faced by cross-chain protocols when accepting PoW chain assets are more severe than expected. When a vulnerability client can trigger a 13-block reorganization, whether six confirmations are sufficiently safe is no longer a theoretical question.