Axel Clipman

Yesterday @litecoin published the MWEB security incident post-mortem. Read it first if you want to follow this thread: litecoin.com/news/litecoin-… Credit to LF for the detailed report. But there's one lesson missing from "lessons learned", and it's the most important one. 🧵

Zero-day or an inside job? 1. From our data the attacker was planning to swap LTC into ETH on this address: 0xfF18652A84aAd4f99F464f6B58cE7Ad929F6Fc10 which was funded 38h ago from @binance. Attacker knew about the bug for some time. 2. DoS attack was just putting nodes down to decrease the hashrate and there was indeed the bug in the MWEB txs. These two are different things. The MWEB bug is protocol bug. DoS is just a way to exploit it. 3. The fact that protocol automatically handled the reorg once DoS stopped (which is great) means that some portion of the hashrate was actually running an updated code. Thus, this bug was known and it's not a zero-day. So, somebody was able to DoS precisely upgraded hashrate up to the point that it was less upgraded hashrate than non-upgraded. Any chance the attacker knew who upgraded and who didn't, at least with high probability? If the bug was known and the miners were communicated with, then why RPC providers weren't? @Quicknode and others could have been omitting the blocks from non-upgraded miners. So these whole 13 invalid blocks would not be surfaced to anyone.

10h ago @litecoin experienced a coordinated attack on the chain that resulted in 13 blocks reorg that took more than 3h to generate. During this time attackers were performing double spend attacks on multiple cross-chain swapping protocols. We are investigating the situation.