By CCN.com: A bug in the code for Stellar – the eighth-largest cryptocurrency – allowed an attacker to generate 2.25 billion lumens in April 2017 successfully. Stellar quietly patched the bug in version in 0.6.2, released in May of that year. The only note about the inflation bug reads:
“fix inflation bug that would calculate the wrong amount under rare circumstances”
Stellar made no blog posts or overtly public announcements about the issue. To deal with the unexpected inflation, which represented 25% of the XLM supply at the time and got sold on exchanges, Stellar ate the loss themselves. They burned 2.25 billion corresponding tokens from their reserves to “true up” supply. Their goal was to prevent dilution among average holders.
According to Messari Research, who has been investigating the supply and market capitalization of various cryptocurrencies, including Ripple and Stellar, the coins were moved to crypto exchanges immediately after creation.
“The $XLM that was created was moved to exchanges and likely sold amidst the market run-up during the first half of 2017.”
Stellar defends their actions in the following note:
“In April 2017, Stellar was an emerging open-source project with a small but dedicated developer community. Announcing the bug in our release notes therefore made total sense—that’s how you reach those users. We mentioned it twice, in fact, in the notes, and we were very clear the bug had been exploited. From there, we took the additional step of burning Lumens to “true up” the supply, so that current $XLM owners wouldn’t be diluted and our projected total supply would remain accurate. We recognize that Stellar has since become significant financial software, and our disclosure standards have grown to reflect that reality. There’s been no notable bug since, and if there were we would disclose it in full detail as soon as it was patched. As we announced last month in our 2019 Roadmap we have already committed to a full accounting of all of SDF’s Lumens by the end of the year, and more details around this old bug were going to be (and still will be) part of that.”
The 0.6.2 patch immediately precedes Stellar’s first significant price rise. Bitcoin itself had just recently made its return to $1,000 and was heading upwards from there. By the end of that year, a single Bitcoin would be worth around $20,000. Stellar saw its price soar as high as $0.85 several months later. It is questionable what effect the news of the inflation bug would have had on the market.
In all likelihood, the subject would have come up every time Stellar was discussed in the media and among traders. If it didn’t lead to a price crash, it probably would have slowed growth. Jed McCaleb knows this all too well. The Ripple co-founder who left to create Stellar should understand as well as anyone that poor security can have on a market: he was deeply involved with Mt. Gox, which arguably precipitated Bitcoin’s first extended bear market.
Messari Research has previously reported that Ripple’s market capitalization is probably hugely overstated. Founder Ryan Selkis received death threats and excessive trolling as a result of publishing that report.
Stellar taking the 2.25 billion XLM loss themselves is probably an admirable move, but the community should have been made aware of the situation. Stellar thinks only crypto developers needed to know, but there are thousands of investors and various regulators who may disagree.
Stellar is not the only cryptocurrency which has suffered inflationary bugs.
Bitcoin itself had this problem in August of 2010 when several times the max supply of BTC were generated in a single block. A hard fork was conducted to fix the issue. In more recent times, Bitcoin became vulnerable to another inflation bug.
Similarly, Zcash patched a bug not too long ago that would have allowed for “infinite” inflation on the privacy-centric crypto network.
Last modified: August 2, 2020 10:57 AM UTC