Analysts of the Messari made public a serious inflation bug that occurred on the Stellar network in April 2017. This incident went almost unnoticed.
According to them, a certain attacker using the bug in the
MergeOPFrame :: doApply function of the Stellar protocol created about 2.25 billion XLM (at that time about $ 10 million).
Subsequently, the coins were transferred to exchanges and probably sold in the first half of 2017. Analysts were able to detect the history of transactions related to bug through the Horizon client, which is not available in block browsers.
This illicit inflation represented nearly 25% of circulating supply in April of 2017, but public disclosures at the Stellar Development Foundation (“SDF”) regarding the event were relatively muted, and no media seems to have previously reported on the bug or the SDF’s subsequent decision to burn an equivalent amount of XLM from its community reserve to offset the illicit inflation.
The preliminary fix for the bug was introduced by Stellar founder Jed McCaleb on April 6, but until his official release on April 30, the attack vector remained open.
In turn, representatives of Stellar stated that they had mentioned the use of the bug a couple of times in the release notes and since then have substantially revised the standards for disclosing information.
We recognize that Stellar has since become significant financial software, and our disclosure standards have grown to reflect that reality. There’s been no notable bug since, and if there were we would disclose it in full detail as soon as it was patched.
In November 2018, transactions for billions of XLM tokens, made at the same address, were seen on the Stellar network. The total amount of transfers then exceeded the coin offer available on the market, but it soon became clear that the transactions were fake.