Stellar: ten million dollar bug

Stellar attacker

Today Stellar Company is rather popular in cryptomarket. It is on the 8th place market capitalization. But few people know that some years ago Stellar suffered from a great mistake. At that time, the situation was almost unnoticed. This bug was decided not to be made public. The analytical company, called Messari, reached such a conclusion. Messari is a famous corporate that researches the cryptocurrencies market.

The incident with Stellar happened three years ago. An unknown attacker used a bug in cryptocurrency protocol. An error allowed to produce about 2.25 billion tokens. The total cost of all the coins at that point was around $10 million. All new XLM coins were sold immediately after the attack on cryptomarket stocks. This fact was noted by the analytics from Messari Company.

But Stellar was not the only one who faced such a problem as an inflation mistake. Messari also remembers some similar situations:

  1. The Electronic Coin Company recently published a bug report. The error was revealed in a cryptocurrency protocol. Technically, a disclosed bug could afford to issue new coins non-stop.
  2. In 2018 a Coinmetrics Company found a bug in Bitcoin Private protocol. It allowed them to issue 2 million coins additionally, not provided for in a white paper. Afterward, the team used to solve this problem by burning coins.

Yet, such an event in Stellar showed up among other stories because of the scale of an occurrence. As a result of this error issued tokens accounted for 25% of the XLM volume in circulation. The reaction of the developers was rather interesting. They preferred to keep this story in secret and to conceal it from the community. People knew about the Stellar inflation bug only from the report made later on by Messari.

The essence of the error made by Stellar Lumens

As Messari analytics stated, creating new XLM was able due to the particular program bug. An error helped to merge user accounts and double the assets. This program error was used 110 times in 2017. It allowed creating more than 2 billion new tokens.

The XLM developers reveled this bug at the beginning of April 2017. After it, they corrected this error quickly and unnoticeably. This fact was stated in a Messari report. In Stellar channels, all the network reports are labeled with special tags. The specific date is also indicated. In three of these reports, there was a non-standard tag “not for general use”. Exactly in these reports, there was information about fixing the inflation bug.

Jed McCaleb was involved in solving this problem immediately. He posted a preliminary bug fix on the 6th of April. On April 30 an official announcement about the network updating appeared. During this period, the attack vector remained open. According to Messari, the reason was to test the fix.

In an official announcement on April 30, Stellar mentioned a fixed bug. Yet it was paid very little attention to it. In particular, the developers did not say about the scale of the problem. The created XLMs were sold on crypto exchanges. To remedy the situation, the creators of the cryptocurrency used a trick. They decided to burn the corresponding amount of tokens from the project’s reserves.

Messari analysts were able to find the bug. They used the Horizon client which is not available in block browsers. Stellar’s spokesman C. Rudder commented on the appearance of the Messari report. He agreed that the developers could have responded to the inflation error another way.

“Stellar was a developing project in April 2017. Our community of developers was not big, but all of them were dedicated to the program. We have mentioned this bug twice and we were sure that it became known. We have taken steps to burn the tokens to keep the planned emission volume the same. Stellar is now a great project, and our standards and rules have changed to match this reality. We always try to say about any serious mistake in detail. We never keep in secret such failures”, Rudder said.

He added that a full inventory of Stellar Lumens will be completed by the end of the year. It is assumed that in the report there will be more information about those inflation errors. The bug cost $10 million.

Yet, Stellar is known not only with such a failure that it tried to hide. The Company has an active community and it calls for help in hard times and crisis periods in the world. Stellar donated 2.5 million XLM as part of a mutual aid campaign to fight COVID-19. During the pandemic people needed medical help as well as finances.

The founders said that similar organizations should join their efforts and capabilities. It is necessary to help those who are fighting against the coronavirus pandemic. Organizations that help save lives should receive support. Everyone who has the opportunity to do so shouldn’t stay away.

Anyone can make a mistake and lose money. But not everyone can spend money on a good deed.

About Evans Kwesi 7 Articles
Evans is a Kape Town-based tech journalist and crypto enthusiast covering how technology is affecting business. He enjoys writing about Altcoins, blockchain technology, stock market news, fintech and financial news. Evans also writes about tech startups and new technologies.