🔎[Messari Research] Stellar suffered (and quietly patched) a 2.2 billion XLM inflation bug in 2017

New research from Messari shows that Stellar, the eighth largest cryptocurrency protocol by reported market cap, suffered a significant yet lightly reported inflation bug in April of 2017. While conducting research into supply details for the top 50 cryptoassets our team found that:

• In 2017 an attacker was able to exploit a concurrency bug in the Stellar protocol's "MergeOPFrame::doApply" function, and create 2.25 billion $XLM worth approximately $10 million at the time.
• This illicit inflation represented nearly 25% of circulating supply in April of 2017, but public disclosures at the Stellar Development Foundation (“SDF”) regarding the event were relatively muted, and no media seems to have previously reported on the bug or the SDF’s subsequent decision to burn an equivalent amount of XLM from its community reserve to offset the illicit inflation.
• The affected addresses and related records of the bug are no longer accessible on Stellar Expert or other block explorers, but our research team was able to track the historical transactions through the Horizon client transaction history.
• The $XLM that was created was moved to exchanges and likely sold amidst the market run-up during the first half of 2017.

Stellar representatives shared the following statement with us prior to publication: "In April 2017, Stellar was an emerging open-source project with a small but dedicated developer community. Announcing the bug in our release notes therefore made total sense—that’s how you reach those users. We mentioned it twice, in fact, in the notes, and we were very clear the bug had been exploited. From there, we took the additional step of burning Lumens to “true up" the supply, so that current $XLM owners wouldn’t be diluted and our projected total supply would remain accurate. We recognize that Stellar has since become significant financial software, and our disclosure standards have grown to reflect that reality. There’s been no notable bug since, and if there were we would disclose it in full detail as soon as it was patched. As we announced last month in our 2019 Roadmap we have already committed to a full accounting of all of SDF’s Lumens by the end of the year, and more details around this old bug were going to be (and still will be) part of that.” Our full report is available for Unqualified Opinions subscribers here.

Let us know what you loved about the report, what may be missing, or share any other feedback by filling out this short form. All responses are subject to our Privacy Policy and Terms of Service.