The Litecoin Foundation released a critical security update, Core version 0.21.5.5, on May 7 to address a zero-day vulnerability in its Mimblewimble Extension Block (MWEB) implementation that was actively exploited in April. All node operators and wallet users are urged to upgrade immediately.
"The Litecoin Core v0.21.5.5, a patch version release, includes important MWEB consensus hardening, node reliability improvements, wallet and mining fixes, and build/test updates," the Litecoin team said in a post on X.
The patch addresses a critical validation bug that allowed an attacker to create an invalid MWEB transaction, causing a 13-block reorganization on the mainnet in April. The new version fixes MWEB PMMR rewind corruption, improves MMR file write durability, and increases the maximum P2P protocol message length to 32 MB to accommodate valid MWEB blocks.
The incident highlights the ongoing security challenges for proof-of-work blockchains, even established ones like Litecoin. The successful patch is crucial for maintaining trust in the MWEB privacy feature, which was a major network upgrade. The fix prevents the inclusion of MWEB transactions where input and output commitments sum to zero, hardening the chain against similar future attacks.
In late April, Litecoin developers released a post-mortem report on the incident. A zero-day bug in the MWEB validation logic was identified in March 2026. An attacker later used this exploit path, leading to a temporary chain split as upgraded nodes correctly rejected the invalid block, while non-upgraded nodes initially accepted it.
The 13-block reorganization reversed the invalid transactions, preventing any loss of funds. The new core release permanently fixes the root bug. The update also includes expanded testing for MWEB P2P messages, duplicate peg-ins, and crash recovery scenarios to prevent a recurrence.
This article is for informational purposes only and does not constitute investment advice.
