The Litecoin Foundationโs first public framing of Saturdayโs incident was clean. A zero-day bug, exploited the same day, fixed within hours. The 13-block reorganization that wiped the invalid MWEB transactions was the network correcting itself in real time.
Twenty-four hours later, the story is harder to defend.
Security researcher bbsz, who works with the SEAL911 emergency response group for crypto exploits, pulled the patch timeline directly from the litecoin-project public commit log. The consensus vulnerability that allowed the invalid MWEB peg-out, the same bug Litecoinโs team called a zero-day, was privately patched between March 19 and March 26. That is roughly four weeks before the attack. A separate denial-of-service vulnerability was patched the morning of April 25. Both fixes were rolled into Litecoin Core v0.21.5.4 the same afternoon, after the attack had already started. We covered the original incident yesterday based on the Foundationโs initial post-mortem. The git log adds a layer that post-mortem did not.
A zero-day means a vulnerability unknown to defenders at the time of attack. The commit history shows the consensus bug was known and quietly fixed a month before exploitation. That is not what most people would call a zero-day. That is a privately patched vulnerability where the patch did not propagate to enough mining pools in time.
Two bugs, not one. And the attacker knew which was which.
Aurora Labs CEO Alex Shevchenko, who flagged the reorg early Saturday, made a related point in his own thread. The DoS attack and the MWEB bug were not the same exploit. They were two separate components of a coordinated attack. The DoS was designed to take patched mining nodes offline. The MWEB bug was used by unpatched nodes that the DoS left standing, accepting the invalid peg-outs and adding them to blocks that would later get orphaned.
The implication is uncomfortable. The attacker knew which mining pools were running the patched consensus code and which were not. They timed the DoS to suppress the patched ones. That kind of selective targeting requires either insider information or a careful watch on the public commit log between March 26 and April 25, looking for which pool operators had pulled the fix.
Onchain analysis added another wrinkle. Shevchenko noted that the attackerโs wallet had been funded from Binance roughly 38 hours before the attack and was already routing LTC into ETH on cross-chain DEXs during the invalid block window. Whoever did this had the swap path mapped before the chain even split.
The full timeline, side by side
| Date | What Happened | Public Knowledge |
|---|---|---|
| March 19-26, 2026 | Consensus vulnerability privately patched in litecoin-project repo | Not disclosed |
| Late March โ April 24 | Patched code merged but not pushed to all mining pools as required | Not disclosed |
| April 25, morning | Separate denial-of-service vulnerability patched in repo | Not disclosed |
| April 25, ~early afternoon | Attack begins. DoS hits patched mining pools, unpatched pools accept invalid MWEB peg-outs | Disclosed by Litecoin team in evening tweet |
| April 25, ~evening | 13-block reorg from blocks 3,095,930 to 3,095,943 reverses invalid transactions | Public |
| April 25, 4:22 p.m. ET | Litecoin Core v0.21.5.4 released. Both fixes now public | Public |
Why patched-but-not-deployed is a structural problem
Older proof-of-work networks like Litecoin and Bitcoin rely on independent mining pools choosing when to upgrade. That works for non-urgent changes. It fails when a security patch needs to reach everyone before an attacker can exploit the gap between patched and unpatched pools.
Newer chains with smaller, more centralized validator sets coordinate upgrades through chat groups and can push patches network-wide in hours. The trade-off is well-known. Decentralized upgrade paths are more resilient to capture but slower to ship critical fixes. Litecoinโs incident is a case study in how that slowness becomes the attack surface.
There is a separate question about the disclosure pattern itself. Privately patching a consensus bug is reasonable security practice, as long as the fix is then required across all mining pools before public release of the binary. The git log suggests that did not happen here. The patch sat in the repo. Some pools pulled it. Some did not. The attacker exploited the gap.
Where the Mythos era complicates this further
The bbsz post made one more point that is worth quoting in spirit. In the age of Mythos-class AI security tools, a four-week window between private patch and required deployment is a window an automated adversary can find. Public commit logs are training data. Private patches that are publicly visible in the repo are advertisements. The Litecoin attacker may not have used AI. The next one will not have to.
The broader stretch this lands in is brutal. DeFi protocols have lost over $750 million to exploits in 2026 through mid-April. That includes the $292 million Kelp DAO bridge drain and the $285 million Drift attack. Most of those incidents involved cross-chain infrastructure. Same surface the Litecoin attackers reportedly used to move their gains off the chain before the reorg.
What the Foundation has not addressed
The Litecoin Foundation has not publicly responded to the GitHub timeline as of Sunday morning. The amount of LTC that pegged out during the invalid block window has not been disclosed. The value of cross-chain swaps that completed before the reorg reversed them has also not been disclosed. NEAR Intents had originally reported around $600,000 in exposure. The actual settled losses across all affected platforms is still unknown.
LTC was trading near $56 on Sunday morning, down about 1% on the day. The market reaction has been almost nothing. The reputational reaction is going to take longer to settle, and the next public statement from the Foundation will determine which direction that goes.
Whether the network self-corrected is no longer the question. The question is what the team knew, when they knew it, and why the patch did not reach the pools it needed to before April 25.
