Litecoin Sees First Privacy Layer Hack: MWEB Zero-Day Vulnerability Triggered 13-Block Reorganization

According to a report by The Block, the Litecoin Foundation on Saturday 4/25 confirmed that the attacker targeted a zero-day vulnerability in the MimbleWimble Extension Block (MWEB) privacy layer, forcing the main chain to roll back once across 13 blocks over a period of three hours. This is the first major attack incident involving MWEB since it was enabled in 2022.

The MWEB vulnerability lets older nodes pass forged peg-out transactions

The core issue is that miner nodes running older software would treat an invalid MWEB transaction as legitimate. The attacker exploited this to peg out LTC from the privacy layer to the main chain, then route it into decentralized exchanges to swap it into other assets—effectively creating money out of thin air. At the same time, several major mining pools were also implicated and subjected to targeted DoS attacks.

MWEB is Litecoin’s privacy extension layer that was launched via a soft fork in May 2022, with the goal of giving LTC a value-obfuscation feature similar to Monero. For more than three years, the functionality has operated reliably. This is the first time it has been effectively used to attack the main network.

13-block rollback, fork lasting more than 3 hours

The affected fork extended from block 3,095,930 to 3,095,943, for a total of 13 blocks. This three-hour window gave the attacker enough time to carry out double-spends against cross-chain exchange protocols that accepted MWEB peg-outs: when the exchange protocol transferred the assets to the counterparty but then lost the corresponding MWEB settlement during the subsequent rollback, the isolated transactions became effectively invalid.

NEAR Intents exposes about $600k; mining pools hit with DoS as well

Among the affected protocols, NEAR Intents was the one with the highest publicly disclosed amount. Initial reports said it exposed about $600k, and the team stated it would absorb the users’ losses itself. Litecoin later confirmed that all invalid transactions were wiped from the main chain along with the rollback, so the actual settlement losses should be far lower than the initial estimate.

On the mining pool side, the same vulnerability triggered the DoS conditions, forcing pools to pause or fail to produce blocks. This is also key to how the attacker managed to keep the fork going for three hours—without mainstream hash power immediately cutting off the invalid chain, the attack chain had time to accumulate blocks.

A patched version has been released; mining pools and nodes need to upgrade immediately

Within a few hours after the incident, Litecoin’s development team released a patched version, instructing all node and mining pool operators to upgrade immediately to the latest version. The foundation said the network has returned to normal operation and advised exchanges to temporarily pause processing MWEB-related withdrawals and conversions until the upgrade is complete.

For LTC holders, this incident does not affect legitimate transactions on the main chain or existing balances, but it highlights the trade-off between “reducing observability” and “reducing the difficulty of debugging” in the privacy extension layer—when problems arise, it becomes harder for the community to track anomalies from on-chain data in the first place. Litecoin only listed a staking ETF in the United States in October 2025, so institutional investors’ focus on network stability is likely to increase.

This article, Litecoin’s first privacy-layer hack: MWEB zero-day triggers 13-block chain reorganization, first appeared on Lian News ABMedia.