Blockchain research company Messari, on Wednesday, March 27th, released a report that identifies a hack on the Stellar network from back in early 2017 which went completely unnoticed by the media.
According to Messari, a hacker exploited a bug within the Stellar protocol to create 2.25 billion stellar Lumens [XLM] (at the time of the attack worth about $10 million). The incident never got any media coverage and therefore went unnoticed by the public.
To correct the XLM circulating supply, the Stellar Development Foundation (SDF) burned an equal number of coins from their treasury. In a statement from a representative of SDF, the incident was included in a release update documentation to the developer community.
“In April 2017, Stellar was an emerging open-source project with a small but dedicated developer community. Announcing the bug in our release notes, therefore, made total sense—that’s how you reach those users. We mentioned it twice, in fact, in the notes, and we were very clear the bug had been exploited. From there, we took the additional step of burning Lumens to “true up” the supply, so that current $XLM owners wouldn’t be diluted and our projected total supply would remain accurate. We recognize that Stellar has since become significant financial software, and our disclosure standards have grown to reflect that reality,” the representatives said.
According to the report, the hacker(s) exploited a function named “MergeOpFrame: doApply” which works by merging the “source account into a destination accounts, thereby discarding the source account plus transferring all the source account balance to the destination balance.”
This process allowed the hacker to call the function multiple times and in this instance 110 times effectively creating 2.25 billion coins out of thin air. The illicitly created coins were then transferred to exchanges and exchanged and likely sold off to avoid being tracked through the blockchain.
The report notes that the addresses involved in this hack are no longer accessible on any Stellar blockchain explorer but Messari was able to identify them using the Horizon Application Programming Interface.
The representatives of the SDF further stated on their statement that will commit to full public disclosures for such incidents in the future. They wrote,
“There’s been no notable bug since, and if there were we would disclose it in full detail as soon as it was patched.”