Critical Litecoin Update Released After Zero-Day Exploit Incident

The Litecoin team just announced a new core version release, which contains important security updates.

In a tweet, the Litecoin official X account revealed that Core version 0.21.5.5 is now available. The Litecoin Core v0.21.5.5, a patch version release, includes important MWEB consensus hardening, node reliability improvements, wallet and mining fixes, and build/test updates. As a result, all node operators and wallet users are strongly encouraged to upgrade ASAP.

The release also contains notable changes, including important MWEB validation and state-handling fixes.

The maximum P2P protocol message length was increased to 32 MB so that valid MWEB blocks and messages fit under the message-size limit. The release also prevents the reading of the previous block from disk when constructing HogEx transactions. This also avoids including MWEB transactions in candidate blocks when their input and output commitments would sum to zero.

Tests were added and expanded for MWEB P2P messages, duplicate pegins, crash recovery, mutated blocks, mining, and wallet/RPC behavior.

The MWEB PMMR rewind corruption was fixed alongside improved MMR file write durability. A transaction index consistency issue was fixed that could occur if writing block data failed after the index commit.

Litecoin releases report on zero day bug

In April, Litecoin suffered a zero-day bug, which caused a DoS attack that disrupted major mining pools. Non-updated mining nodes allowed an invalid MWEB transaction, allowing them to peg out coins to third party DEXs. A 13-block reorg reversed those invalid transactions, not allowing them to be included in the main chain. The Litecoin Core 0.21.5.4 was released shortly after to address the failure.

At April’s close, a post mortem report was released on the incident. Litecoin developers identified a critical validation bug in Litecoin’s Mimblewimble Extension Block implementation in March 2026. In April, a second attacker or tester attempted to use the same original exploit path. The upgraded nodes rejected the bad block, resulting in a 13-block invalid chain that was later reorged out after upgraded miners coordinated on the valid chain. The root bug has now been fixed.