MWEB Bug Let Invalid Litecoin Transactions Pass, 13-Block Reorg

A bug in Litecoin’s MimbleWimble Extension Block (MWEB) implementation allowed malformed MWEB transactions to be accepted by nodes that had not updated their software, enabling peg-outs to third-party decentralized exchanges and triggering a 13-block chain reorganization to remove the invalid transactions. The Litecoin team reported the exploit has been patched and the network is stable. Litecoin traded near $56 at the time of reporting, down slightly over the prior 24 hours.

The incident occurred on Saturday when non-updated nodes processed a malformed MWEB transaction, creating a window in which fraudulent transactions could be accepted by parts of the network. The team said the network executed a 13-block reorganization that rolled back the affected chain segment and removed invalid transactions while preserving valid transactions from the same period.

Blockchain data show the affected sequence ran from block 3095930 through 3095943. Those 14 blocks took more than three hours to mine, compared with roughly 30 minutes normally expected given Litecoin’s 2.5-minute block time, producing an average block interval of about 13.5 minutes for that range.

Analysts Alex Shevchenko and Zacodil were among the first to flag the unusual reorganization. Shevchenko posted that on-chain data indicated the actor planned to convert the funds to ETH and that the addresses used were funded about 38 hours earlier from an address he identified as linked to Binance. He also suggested the actor may have deployed denial-of-service tactics to reduce honest mining power and exploit the MWEB bug.

The Litecoin team described the event as a protocol bug rather than a takeover by miners. The reorganization was used to restore the ledger by excluding the malformed MWEB transactions. The team has not yet published a detailed post-mortem.

NEAR Intents provided a preliminary estimate of about $600,000 in exposure intended to cover potential user losses. With the invalid transactions removed from the main chain, those working on the response said the actual financial impact may be lower. Investigations by blockchain analysts and exchanges handling the involved addresses are ongoing.

A validator on the XRP Ledger questioned Proof of Work as a security model in light of the event, arguing that networks secured by PoW rely on economic incentives tied to token price and available hash power rather than final settlement that prevents reorganizations.

The event comes amid a period of heightened exploitation risk across crypto: DeFi protocols suffered more than $750 million in losses from exploits through mid-April 2026, including a $292 million bridge drain on April 19 and a $285 million attack on a Solana-based trading platform on April 1.

MWEB is an extension block added to Litecoin to increase privacy and fungibility by moving some transactions off the main ledger and later pegging values back to the base chain. A chain reorganization replaces a recent sequence of blocks with an alternative sequence and effectively rolls back transactions included in the removed blocks. In this case, the reorg removed malformed MWEB transactions that had been accepted by outdated nodes.

Stakeholders have requested a technical report explaining how the bug arose and what measures will prevent similar issues. The Litecoin team says the flaw is fixed and normal operations have resumed.