Litecoin Postmortem: MWEB Bug Let Attacker Fake 85,034 LTC Pegout Before Devs Froze Funds

• A Litecoin MWEB validation bug let an attacker inflate and peg out 85,034 in March 2026, but the actor returned the funds for an 850 bounty.
• An April 2026 exploit attempt triggered a 13-block chain reorg, causing NEAR Intents to lose 11,000 swapped for 7.78 .
• Litecoin Core v0.21.5.4 patches both the bug and the mining stall that enabled the April reorg.

Litecoin Developers Release Postmortem After MWEB Bug Causes Chain Reorg

The postmortem identified the root cause as a missing metadata check during block connection. When an MWEB input spends a previous output, the metadata it carries must match the actual being consumed. That check existed in the mempool and block-building paths, but developers confirmed it was not fully enforced at the block connection stage.

Developers discovered the vulnerability through internal review on March 19. A chain scan showed exploitation had already occurred at block 3,073,882. The attacker used a malicious MWEB input whose real value was no more than 1.2084693 to support a pegout of 85,034.47285734 .

Developers said they coordinated privately with major mining pools to contain the inflated outputs before public disclosure. An emergency release, Litecoin Core 0.21.5, was pushed to miners to block new malformed inputs. A follow-up release, 0.21.5.1, added a historical exception for the already-accepted exploit block and temporarily froze the three transparent outpoints holding the attackers funds.

The actor attempted to spend at least one frozen output. Upgraded miners rejected the transaction. Developers then contacted the actor directly. The actor agreed to cooperate and signed a recovery transaction that returned 84,184.47278630 to a developer-controlled address while keeping 850 as an agreed bounty.

Litecoin founder, Charlie Lee, purchased the 850 needed to make the MWEB balance whole. The full 85,034.47285734 was pegged back into MWEB in a single transaction at block height 3,078,098, and the resulting MWEB output was frozen. No user funds were ultimately lost in the March incident.

According to the postmortem, a second attacker attempted the same exploit path in April, triggering a separate failure. Upgraded rejected the malformed block, but the way mutated MWEB block data was handled caused certain mining RPC commands to hang, including the submitblock call. Upgraded mining stalled while unupgraded miners continued extending the invalid chain.

The invalid chain grew to 13 blocks before upgraded miners coordinated to overtake it. The bad chain was reorged out, but several third-party systems had already processed activity on the invalid chain before the reorg completed.

NEAR Intents confirmed the attacker swapped 11,000 for 7.78814476 before the reorg completed. Those 11,000 were no longer present on the valid chain after the reorg, leaving NEAR Intents with a confirmed loss. Thorchain reported a separate loss after the attacker swapped 10 for 0.00719957 BTC through its bridge before the reorg.

Litecoin Core 0.21.5.4 addressed the mutated-block stall by erasing stored block data for blocks classified as mutated, allowing valid data for the same block hash to be accepted later. The release was built and deployed publicly on April 25.

The postmortem blogpost acknowledged several failures in the response, including that MWEB validation relied too heavily on checks that were not applied at block connection, that the recovery required multiple staged miner releases each carrying coordination risk, and that the April mutated-block failure mode had not been tested against mining RPC behavior.