Stellar has come under fire for its treatment of an inflation bug that occurred almost two years ago. This week, Messari Research issued a report indicating that in 2017, Stellar “quietly patched” a major vulnerability that allowed an attacker to freely create millions of dollars worth of Stellar Lumens (XLM).
Messari’s report has attracted controversy: Stellar actually disclosed the bug in 2017, but this disclosure was buried deep in its release notes, and it gained virtually no attention at the time. The community is divided as to whether Stellar is to blame for downplaying the problem, or if Messari is being uncharitable by digging up old issues.
The Bug In Detail
The bug turned out to be costly: it allowed attackers to create 2.2 billion XLM tokens, worth $10 million at the time of the attack. This represented 25% of Stellar’s circulating supply. Although Stellar destroyed an equivalent amount of XLM to “true up” the supply, the attackers managed to get away with their illicitly created tokens.
Messari also claims that the addresses that were affected by the bug can no longer be seen on block explorers. This obviously raises questions about Stellar’s commitment to transparency. Messari says that it was only able to investigate the issue by looking through historical data in the Stellar Horizon client.
Stellar is not the only platform to experience a vulnerability of this type. Zcash and Bitcoin have also had bugs that could have allowed attackers to freely create tokens. However, those bugs were patched before anyone could exploit them, meaning that Stellar has the unfortunate distinction of falling victim to this type of bug.
Stellar Defends Itself
Stellar believes that the bug did not receive much attention because the project was small at the time; in fact, Stellar disclosed the bug twice. However, Stellar says that it will disclose bugs in a more visible way from now on, and it says that its disclosure standards will change to reflect Stellar’s status as “significant financial software.”
Stellar is indeed trying to become a serious competitor in the realm of blockchain-based banking. The project has recently undergone a major branding makeover and has hired a new leader with a new vision. Stellar is also powering World Wire, a new service from IBM that is targeted at major financial institutions.
Clearly, this is an inopportune time for Stellar’s old skeletons to be dragged into the light. However, it seems that Stellar will embrace the issue: it says that it will publish more details about the bug later this year as part of its accounting plan. Whether this will reassure Stellar’s users and potential clients remains to be seen.