Messari, a New York-based research firm has released a report in which it noted that the Stellar (XLM) platform had been affected by a software glitch. The glitch reportedly led to 2.25 billion extra XLM tokens (appr. $10 million at that time) being printed.
Messari’s report, published on March 27th, 2019, reads:
[Stellar] suffered a significant yet lightly reported inflation bug in April of 2017.
Explaining how they discovered the XLM bug, Messari’s management stated in its report that its researchers had been examining the “supply details” of the top 50 cryptocurrencies. While researching, Messari’s team found that a hacker “exploited a concurrency bug” in 2017 - which was present in Stellar’s codebase.
Public Disclosures Regarding XLM Inflation Bug “Relatively Muted”
Specifically, the software bug was located in the Stellar protocol’s "MergeOPFrame::doApply" function - which led to the creation of 2.25 billion XLM. As mentioned in Messari’s report, this inflation accounted for almost 25% of XLM’s circulating supply in April 2017. However, researchers at the crypto intelligence firm claim that “public disclosures at the Stellar Development Foundation (SDF) regarding the event were relatively muted.”
Moreover, Messari’s researchers noted that media outlets failed to report the incident and they also did not seem to notice when the SDF burned “an equivalent amount of XLM from its community reserve to offset” the inflation.
The “affected addresses” and other information related to them is not available on any standard block explorer or on Stellar Expert, a block explorer and analytics platform for the Stellar network. This, according to Messari’s research report which also states its team “was able to track the historical transactions through the Horizon client transaction history.”
Messari: Extra XLM Tokens Most Likely Sold During Market Run-Up Of H1 2017
Although it cannot confirm where exactly the extra 2.25 billion XLM tokens went, Messari’s research team believes that the large amount of cryptocurrency was mostly likely “moved to exchanges and ... sold amidst the market run-up during the first half of 2017.”
In response to Messari’s claims and report, the representatives at the SDF told the US-based crypto research company that in April 2017, “Stellar was an emerging open-source project with a small but dedicated developer community. Announcing the bug in our release notes therefore made total sense—that’s how you reach those users.”
Stellar’s team also stated:
We mentioned it twice, in fact, in the [project release] notes, and we were very clear the bug had been exploited. From there, we took the additional step of burning Lumens to “true up" the supply, so that current $XLM owners wouldn’t be diluted and our projected total supply would remain accurate. We recognize that Stellar has since become significant financial software, and our disclosure standards have grown to reflect that reality.
The SDF added:
There’s been no notable bug since, and if there were we would disclose it in full detail as soon as it was patched. As we announced last month in our 2019 Roadmap we have already committed to a full accounting of all of SDF’s Lumens by the end of the year, and more details around this old bug were going to be (and still will be) part of that.