Litecoin’s Double-Spend Patch Sits Unused on 70% of Nodes Two Months Later

Most Litecoin nodes are still running software that can’t stop a repeat of April’s double-spend attack. That’s a problem nobody seems to be fixing fast enough.

Less than 30% of nodes have installed the patches released after a hacker exploited a flaw in Litecoin’s MimbleWimble Extension Block — known as MWEB — transactions. The rest? Basically sitting ducks. Around 39% of nodes are still on version v0.21.4, the vulnerable build, and most of those are non-mining nodes. Mining nodes are a different story — the majority of them did update, which means miners probably won’t get fooled the same way again. But validating nodes are another matter entirely, and there are a lot of them still processing transactions without the fix.

Not great.

What Actually Happened in April

The attack hit on April 25. A malformed MWEB peg-out transaction slipped through — a tiny input backing a much larger withdrawal, effectively conjuring illegitimate Litecoin out of thin air. Non-upgraded mining nodes accepted the invalid transaction, and the attacker managed to peg out coins to third-party venues before anyone could stop it. The Litecoin network responded with an emergency 13-block reorganization, which reversed the fraudulent activity and stopped the bleeding. Fast response, all things considered. But the fact that it got that far in the first place rattled confidence.

The flaw traces back to how Litecoin Core handles MWEB transactions. MWEB, activated in 2022, was built to give Litecoin users better transaction privacy. Good idea in theory. But it inadvertently introduced the vulnerability that the April attacker found and used. The privacy layer that was supposed to be a feature became a liability.

Litecoin Core v0.21.5.4 dropped the day after the reorganization event — April 25 — targeting denial-of-service attack vectors on mining pools. Then, in early May, the team pushed v0.21.5.5, a follow-up patch aimed at hardening MWEB validation further. Two patches, clear purpose, available for weeks. And still, most of the network hasn’t moved.

Why the Slow Adoption Matters

Litecoin carries a market cap of $3.4 billion. That’s not a small number. And the security of that network depends almost entirely on node operators keeping their software current — which, it turns out, is harder to coordinate than it sounds in a decentralized system. You can’t force anyone to update. You can urge, warn, release patches, and repeat yourself. But if operators don’t act, the vulnerability just sits there.

Read also: Congress Members Could Lose Prediction Market Profits Under Steils $2,000 Fine Bill

And that’s kind of where things stand right now.

The Litecoin team has pushed hard for adoption, urging all users to move to the latest versions and making clear what’s at stake. The patches are designed to reject invalid MWEB transactions outright, so nodes running the updated software won’t process the kind of malformed peg-out that triggered April’s mess. But with roughly 70% of nodes still on older builds, a significant chunk of the validating network can’t make that call correctly. An attacker who tried a similar move today would find a lot of nodes willing to accept what they shouldn’t.

The gap between mining nodes and non-mining validating nodes is worth paying attention to here. Miners updated because they had direct skin in the game — they were the ones whose pools got targeted by the denial-of-service angle of the exploit. Non-mining node operators don’t face the same immediate pressure, and it seems that’s reflected in their update rate. It’s probably not malice. It’s probably just inertia. But inertia in network security tends to end badly.

Where the Network Stands Now

No timeline exists for when — or whether — the remaining nodes will update. The Litecoin team hasn’t specified a deadline, and there’s no mechanism in a decentralized network to force the issue. It’s unclear whether the slow adoption will trigger more aggressive outreach from the team or whether the community will simply wait and hope nothing happens in the meantime.

See also: Franklin Templeton Bets on Bitcoin with Two New Dividend-Reinvesting ETFs

What’s clear is that the network’s exposure isn’t theoretical. The attack in April wasn’t a proof-of-concept or a researcher’s demo — it was a real attempt, and it worked well enough to require a 13-block reorg to undo. If a similar attempt came today, miners would likely catch it before it became permanent. But “likely” isn’t the same as “certainly,” and the validating nodes that are still running v0.21.4 add genuine uncertainty to that picture.

Decentralized networks have always struggled with coordinated upgrades. It’s a known problem, not unique to Litecoin. But the stakes are higher when the vulnerability being patched has already been exploited in the wild, not just discovered in theory. The patches exist. They work. Getting them onto the other 70% of nodes is the part nobody has solved yet.

The Litecoin Core team released v0.21.5.5 in early May.