The Stellar Development Foundation disclosed a bug in Stellar Core v20.1.0 affecting fee-bumped Soroban transactions, where refunds are incorrectly sent to the sponsored account instead of the sponsor. SDF decided to proceed with the Protocol 20 upgrade vote on January 30 as planned, citing low risk during early Soroban phases and the availability of mitigation best practices.
A bug was discovered in Stellar Core v20.1.0 that impacts fee-bumped Soroban transactions, causing refundable fee components to be sent to the wrong account. The bug only affects Soroban fee bumps and could result in users receiving fractional XLM refunds or malicious actors attempting to maximize refunds. The Stellar Development Foundation, acting as a validator, decided to proceed with the Protocol 20 upgrade vote scheduled for January 30, believing the bug poses low risk during Phases 0 and 1 of Soroban's rollout due to strict transaction limits. However, the decision ultimately rests with other validators. SDF provided detailed mitigation best practices for applications sponsoring transactions, including limiting sponsored resources, restricting interactions to trusted contracts, and avoiding certain transaction patterns. SDF engineers are already working on a fix and committed to rolling out a new Stellar Core release across the network once available.
