Report Reveals Stellar Swept a Bug Worth 2.25 Billion XLM ($10M) Under the Rug

A blockchain research company called Messari released a report last Wednesday that reveals a hack on the Stellar platform from all the way back in early 2017. According to the report, the hack went unnoticed by the media because Stellar conveniently chose a way to report on the bug that got no media attention.

Hacks on a blockchain platform, be it new or old, has always attracted a lot of media attention and hurt the parent company in many different ways because of the bad press. However, the news of sweeping a bug/hack of this magnitude under the rug is sure to spread some nervous energy in the Stellar community.

According to the report by Messari, a hacker exploited the bug the Stellar protocol to create 2.25 billion XLM coins, which at the time were worth $10 million. Because of the way Stellar chose to report on the bug and the subsequent hack, it went unnoticed by the public and the media. In response to the hack, Stellar Development Foundation (SDF) burned an equal amount of coins from their treasury. In a statement to Messari, Stellar representatives revealed the way they chose to report on the bug.

“In April 2017, Stellar was an emerging open-source project with a small but dedicated developer community. Announcing the bug in our release notes, therefore, made total sense—that’s how you reach those users. We mentioned it twice, in fact, in the notes, and we were very clear the bug had been exploited. From there, we took the additional step of burning Lumens to “true up” the supply, so that current $XLM owners wouldn’t be diluted and our projected total supply would remain accurate. We recognize that Stellar has since become significant financial software, and our disclosure standards have grown to reflect that reality.”

The report also reveals how exactly the hack was carried out. Hacker(s) exploited a function in the Stellar network’s code base called, “MergeOpFrame:doApply”. The report explains that the function works by “merging the source account into a destination accounts, thereby discarding the source account plus transferring all the source account balance to the destination balance.” Hackers were able to call this function 110 times and in turn created 2.25 billion XLM.

The representatives went on indirectly to admit to the fact that the efforts put into transparency regarding the hack were less than ideal by any standards. “There’s been no notable bug since, and if there were we would disclose it in full detail as soon as it was patched,” the representatives said in an attempt to reassure their customers and consumers.

Sharing Is Caring: