According to a March 27 report by cryptocurrency intelligence company Messari, cross-asset payment network Stellar was exploited by an unknown attacker, who was able to mint more than 2 billion Stellar Lumens (XLM) without detection.
According to the report, the attacker exploited a bug in the Stellar blockchain protocol, manipulating the ‘MergeOPFrame::doApply’ function to mint 2.25 billion XLM, which at the time was equivalent to 25 percent of the circulating Stellar supply.
Although the related addresses and other records of the bug can no longer be accessed via the Stellar explorer, the Messari team were able to access the details through Stellar Horizon. There it was determined that the then nearly $10 million worth of XLM was moved to exchanges, and likely sold during the 2017 bull run.
As the eighth largest cryptocurrency, Stellar Lumens has a market capitalization of close to $13 billion. If the attacker(s) sold their illicit gains at the height of the 2017 boom, they could have exited with close to $2 billion, whereas today the same 2.25 billion XLM would only be worth $300 million.
According to the Stellar Development Foundation (SDF), the XLM inflation rate is set at 1 percent per year, with the total supply growing at this rate. However, as a result of the exploit, the circulating supply was suddenly increased by 25 percent in 2017, though it appears that this went largely unnoticed by media outlets, while the SDF kept relatively mute on the subject.
Commenting on the report, a representative of Stellar had the following to say:
“In April 2017, Stellar was an emerging open-source project with a small but dedicated developer community. Announcing the bug in our release notes therefore made total sense […] We mentioned it twice, in fact, in the notes, and we were very clear the bug had been exploited.”
Shortly after the inflation bug was discovered by the SDF, an equivalent amount of XLM was reportedly burned to correct the circulating supply, essentially undoing the damage caused by the attacker. The SDF also pledged to provide a full account for all of its Lumens by the end of the year, while shedding further light on the inflation bug during the process.
The research documented in the report was carried out by Messari — a company looking to bring transparency to the crypto-economy by disseminating information to investors, developers and regulators alike.
Do you think the Stellar Development Foundation was forthcoming enough with the exploit? Let us know your thoughts in the comments below!