Critical Litecoin Bug Allowed Attacker to Create 85,000 LTC Out of Thin Air

A severe validation error in Litecoin's MWEB privacy layer enabled an attacker to generate over 85,000 LTC from nothing in March 2026. A coordinated crisis effort saved the situation – but in April, another actor struck, resulting in a 13-block chain reorganization.

TL;DR

A critical bug in Litecoin's Mimblewimble Extension Block (MWEB) was exploited in March 2026 to generate 85,034 LTC without backing
Litecoin developers coordinated with the mining pool to freeze the funds; the attacker cooperated and returned them in exchange for an 850 LTC bounty
In April, a new actor attempted the same, triggering a 13-block chain reorganization and an estimated $600,000 in losses for third-party services
Litecoin Core 0.21.5.4 has been released and is expected to fully close the vulnerability

Bug in Privacy Layer Opened Door for LTC Supply Inflation

In March 2026, an unknown actor exploited a severe validation error in Litecoin's MWEB layer – the Mimblewimble-based privacy extension activated on the network in 2022. The bug lay in how MWEB validated inputs during block connection, allowing a miner to include malformed metadata that did not match the actual unspent transaction output being referenced.

As a result, at block height 3,073,882, the attacker managed to produce an inflated «pegout» – a payout from the MWEB system to a transparent address – totaling a massive 85,034.47285734 LTC, according to a postmortem published by Litecoin developer David Burkett and reported by Bitcoinist.

85,034 LTC were created from nothing – without backing in the network's actual supply.

Critical Litecoin Bug Allowed Attacker to Create 85,000 LTC Out of Thin Air

Coordinated Response Halted the Bleeding

Litecoin developers reacted quickly. In cooperation with major mining pools, the funds were frozen, and the attacker was contacted directly. According to available information, the attacker chose to cooperate and returned most of the amount in exchange for an 850 LTC bounty. Litecoin founder Charlie Lee reportedly personally covered the bounty to restore the MWEB ledger. No confirmed user losses were recorded as a result of the March incident.

April Incident: Reorganization and Million-Dollar Losses for Third Parties

Despite remediation attempts after the March incident, a new actor struck in April 2026 with the same attack pattern. Updated nodes rejected the invalid block, but the handling of the mutated MWEB data caused a number of upgraded mining nodes to stall or cease functioning. This paved the way for unupdated miners to build upon an invalid chain.

The invalid chain grew to 13 blocks – approximately 32 minutes of chain history – before the upgraded network participants managed to coordinate a deep reorganization and restore the valid chain, according to available documentation.

The consequences for third-party services were noticeable. NEAR Intents reportedly suffered losses of an estimated $600,000 due to double-spend operations during the fork, according to Bitcoinist and related research. Aurora Labs CEO Alex Shevchenko characterized it as a «coordinated attack.» NEAR Intents has promised full compensation to affected users. Infrastructure related to THORChain and SwapKit was also impacted.

It is important to emphasize that these loss figures are based on information from affected parties and have not yet been fully independently verified.

85,034 LTC

Illegally generated in March attack

13 blocks

Length of invalid chain in April

~$600,000

Estimated losses for NEAR Intents

Known Vulnerability – But Not Patched

Security firm Quarkslab conducted a 45-day audit of Litecoin's MWEB implementation back in 2021–2022. The report identified a critical bug classified as HIGH01: MWEB blocks were not validated correctly, potentially allowing a rogue miner to submit invalid blocks that were accepted by the network. It was recommended to add a call to the MWEB::CheckBlock function from the canonical side.

It is unclear to what extent this finding was followed up, and whether the specific vulnerability from 2026 is directly related to the HIGH01 finding. The Litecoin project has not yet publicly commented on this connection.

Patch Is Out – But Warnings Abound

Litecoin Core 0.21.5.4 was released to address both incidents. The update is intended to ensure that corrupted block data is rejected and that MWEB accounting and validation are strengthened at all levels. The Litecoin Foundation assures that all legitimate transactions performed during the affected period are preserved on the primary chain, and that the security vulnerability has been fully remediated.

Nevertheless, the incidents point to structural challenges. Several analysts have highlighted Litecoin's relatively low hash rate as a persistent risk factor that makes the network more vulnerable to 51 percent attacks. The Aurora Labs CEO recommends that all platforms processing Litecoin transactions conduct thorough audits of their own ledgers and holdings. Proposals have also been made to extend confirmation periods for cross-block services to over 50 blocks, or to temporarily suspend LTC cross-block operations until the network has demonstrated sufficient stability.