Report: Stellar suffered a 2.2 billion XLM inflation bug in 2017

More than 2.2 billion Lumens (XLM) were created in April 2017 by an attacker exploiting a bug in Stellar's code, according to a report by Messari.

While the Stellar Development Foundation did publicly disclose and patch the inflation bug in 2017, there was limited media coverage regarding the attack. At that time 2.2 billion XLM was worth approximately $10 million, which was 2.2% of the total supply of available XLM.

According to Messari, the additional XLM was created by exploiting the "MergeOpFrame:doApply" function which merges a "source account into a destination account, thereby discarding the source account and transferring all the source account balance into the destination balance." However, the attacker called the function simultaneously multiple times, which enabled them to merge the source account into multiple destination accounts — creating additional XLM in the process. This bug was exploited 110 times, which lead to the creation of over 2.2 billion XLM.

In response to the bug, the Stellar Development Foundation decided to burn the same amount of  XLM from its community reserves to avoid diluting XLM owners at that time.

A representative from the Stellar Development Foundation sent Messari the following:

"In April 2017, Stellar was an emerging open-source project with a small but dedicated developer community. Announcing the bug in our release notes therefore made total sense—that’s how you reach those users. We mentioned it twice, in fact, in the notes, and we were very clear the bug had been exploited. From there, we took the additional step of burning Lumens to “true up" the supply, so that current XLM owners wouldn’t be diluted and our projected total supply would remain accurate."

"We recognize that Stellar has since become significant financial software, and our disclosure standards have grown to reflect that reality. There’s been no notable bug since, and if there were we would disclose it in full detail as soon as it was patched. As we announced last month in our 2019 Roadmap we have already committed to a full accounting of all of SDF’s Lumens by the end of the year, and more details around this old bug were going to be (and still will be) part of that.”