Stellar silently patched a bug that allowed a user to ‘create’ 2.25 million XLM worth $10 million
According to a new research report by Messari, Stellar had a bug which was abused by a user to create 2.25 million XLM, worth approximately $10 million in 2017. This bug was identified by Stellar’s Development Foundation [SDF] and patched thereafter.
In 2017, the attacker exploited “MergeOPFrame::doApply” function in the Stellar code and created 2.25 million XLM for himself. At the time, the amount was worth approximately 25% of the circulating supply. SDF eventually patched this bug and announced a coinburn equivalent to the amount created by the attacker. Messari reported that “public disclosures at the SDF regarding the event were relatively muted, and no media seems to have previously reported on the bug.”
Messari’s summary of the report stated:
“The affected addresses and related records of the bug are no longer accessible on Stellar Expert or other block explorers, but our research team was able to track the historical transactions through the Horizon client transaction history.”
It also added that the generated XLM might have been moved to exchanges and sold at the peak of crypto-frenzy in 2017.
Messari contacted Stellar before publishing the report, to which Stellar replied:
“In April 2017, Stellar was an emerging open-source project with a small but dedicated developer community. Announcing the bug in our release notes therefore made total sense—that’s how you reach those users. We mentioned it twice, in fact, in the notes, and we were very clear the bug had been exploited. From there, we took the additional step of burning Lumens to “true up” the supply, so that current $XLM owners wouldn’t be diluted and our projected total supply would remain accurate. We recognize that Stellar has since become significant financial software, and our disclosure standards have grown to reflect that reality. There’s been no notable bug since, and if there were we would disclose it in full detail as soon as it was patched. As we announced last month in our 2019 Roadmap we have already committed to a full accounting of all of SDF’s Lumens by the end of the year, and more details around this old bug were going to be (and still will be) part of that.”