Stellar suffered a critical inflation bug in April 2017 where an attacker exploited the merge function to create 2.2 billion XLM (worth ~$10M at the time). The SDF patched the bug, disclosed it in release notes, and burned equivalent XLM from reserves to prevent dilution.
A Messari report revealed that Stellar experienced a significant security incident in April 2017 when an attacker exploited a bug in the MergeOpFrame:doApply function to create over 2.2 billion XLM, representing 2.2% of total supply at the time. The attacker called the merge function simultaneously multiple times across 110 transactions, allowing a single source account to merge into multiple destinations and generate additional tokens. The Stellar Development Foundation publicly disclosed and patched the vulnerability in release notes and took the additional step of burning equivalent XLM from community reserves to maintain supply accuracy and prevent dilution of existing holders. The SDF acknowledged that while disclosure standards have evolved since 2017, the incident was handled appropriately for an emerging project and committed to full accounting of all SDF Lumens.