Stellar has come under fire for its treatment of an inflation bug that occurred almost two years ago. This week, Messari Research issued a report indicating that in 2017, Stellar “quietly patched” a major vulnerability that allowed an attacker to freely create millions of dollars worth of Stellar Lumens (XLM).
Messari’s report has attracted controversy: Stellar actually disclosed the bug in 2017, but this disclosure was buried deep in its release notes, and it gained virtually no attention at the time. The community is divided as to whether Stellar is to blame for downplaying the problem, or if Messari is being uncharitable by digging up old issues.
The Bug In Detail
The bug turned out to be costly: it allowed attackers to create 2.2 billion XLM tokens, worth $10 million at the time of the attack. This represented 25% of Stellar’s circulating supply. Although Stellar destroyed an equivalent amount of XLM to “true up” the supply, the attackers managed to get away with their illicitly created tokens.