What is the worst scenario imaginable when creating a new currency?
There are probably a few, but the ability to infintely inflate the supply at will would undoubtedly destroy any curreny.
Most people don’t know this, but Bitcoin had two separate inflation bugs, where anybody could mint as many BTC as they wanted, well over the 21 million BTC limit.
If a bad actor exploited this bug, they would’ve ran away with billions of dollars and destroyed Bitcoin as we know it.
Thankfully the bugs were fixed, but they are certainly still around, unsolved or undiscovered.
Here’s how they work and how to prevent them.
An inflation bug is a code vulnerability that allows the unintended generation of currency, typically only on platforms that use smart contracts (autonomous programs).
In blockchain computer science, it refers to any means of manipulating the token supply. Inflation bugs can still occur with secure, flawless code.
Whenever you hear that a platform got hacked but no one lost tokens, it’s likely an inflation bug.
That’s because the “loss” comes from creating tokens against the rules or out of thin air, then selling them, and leaving holders with a worthless project.
Depending on the project size, the token price could lose 90% overnight.
If unsolved, the inflation bug can drain all the funds ever deposited into the protocol.
That’s why it’s also called the infinite-minting bug. Both terms are essentially the same, although inflation bugs are broader and not limited to token generation.
Developers frequently request audits from agencies like Certik to look for inflation bugs and others. Here are a few common mistakes:
There are many variables that, when changed to unintended values, can cause inflation bugs.
It’s not as simple as a Generate token button. It has more to do with unintended functionality than actual coding errors.
In the (MonoX Protocol) example, an “attacker” deposited the same token for both pairs of the liquidity pool, causing the second token to update to a higher price.
The attacker then kept adding 55 times to further inflate his token quantity and the end sell for other platform assets and leave.
All because developers assumed there was no reason for anyone to swap equal tokens.
What’s the worst that can happen? If it’s stopped on time, developers can always burn the equivalent amount to mitigate the losses. The problems get worse when the token has no deposit limits or maximum supply.
From most to least obvious, the bug can:
E.g., In May 2022, the UST stablecoin came to an end after the collapse of the LUNC blockchain token. It soon relaunched as a 2.0 LUNA, but it never took off.
LUNC was a top 10 cryptocurrency worth almost $100, but that may not happen again in a long time.
Inflation bugs are about as old as Bitcoin, but not because of that they’re less common today. Here are some infamous examples, some of which caused projects to shut down:
While at times Bitcoin may seem like the unbreakable cryptocurrency, it was at risk of vanishing twice: in 2010 and 2018. And who knows, maybe still to this day.
It’s not unexpected to hear of vulnerabilities in the 2010s. Neither Bitcoin or Ethereum started perfectly and had to upgrade continuously.
The case of August 2010 was a short-lived bug based on a numeric error called “integer overflow,” and it created 184 Billion Bitcoins.
Basically the code for checking transactions didn’t work if the values were too high.
It was so bad that Satoshi Nakamoto himself had to create a patched new version, also removing the 184B block and all that followed.
If that sounds outrageous, the second inflation bug enabled unlimited Bitcoins!
It was discovered by Bitcoin Core developer Matt Corallo on a crash report shared by Greg Maxwell on September 17th, 2018.
The cause of the inflation is called: multiple unspent transaction outputs (UTXOs), allowing miners to theoretically bypass the 21M limit by calling already-spent Bitcoins.
By then, the Bitcoin price was around $6,000. Given the gravity, developers kept it a secret for two years until they were certain that it was no longer a risk.
In the meantime, they corrected the bug on the next Bitcoin Core version and urged as many miners as possible to update.
Terra UST was an algorithmic stablecoin (no backing) programmed to balance the supply and dollar peg based on a second token: Luna.
For example, if there’s a lot of demand for UST, the protocol mints more tokens by first locking Luna. It creates arbitrage opportunities on both sides (above and below $1 UST) to keep balance.
In May 2022, however, this was no longer maintained because the market cap of Luna had flipped UST’s.
Essentially, people panic-sold UST and didn’t want Luna despite the discount (for many reasons like insolvency risk, reduced rewards on Ankr, or the 85M UST sell order).
The UST mass sale unlocked more Luna, which within a few days increased its supply from 300M to 7 TRILLION. From $90 to <$0.01.
In October of 2022, cyber-attackers managed to generate two million BNB tokens on the Binance Bridge (~$570M).
Binance Bridge is a mint-burn bridge, meaning that before generating the token you want, you need proof that the first token was destroyed or sent to a burn address.
But attackers found a way to forge messages and generate tokens without burning any.
It would have been way worse if the BnB validators didn’t halt the blockchain— which isn’t precisely a good thing.
If you hold BNB you likely didn’t notice much price action because the circulating supply is 155M, but there’s no maximum token limit.
Validators recently deflated BNB by regularly burning tokens.
Other inflation bug cases were reported for:
While there are many ways to avoid inflation bugs, none of them guarantees they won’t happen again.
Can developers really prevent the broad causes of inflation bugs? Overflow bugs, forgery, double spending? It’s not just code, but who and how you use it.
With that disclaimer, the best place to start is with crypto audits.
These professionals will look for both correct code and its implications. Some of their common recommendations are:
Note that any community submission can introduce bugs. The developer team should set specific structure and rules for their review.
A safer approach is immutable code so that those submissions don’t overwrite or risk previous versions.
Inflation bugs are more common on blockchain bridges. So unless your protocol requires multichain features, sticking to one blockchain will greatly reduce security risks.
Join The Leading Crypto ChannelJOIN
Disclaimer:Please note that nothing on this website constitutes financial advice. Whilst every effort has been made to ensure that the information provided on this website is accurate, individuals must not rely on this information to make a financial or investment decision. Before making any decision, we strongly recommend you consult a qualified professional who should take into account your specific investment objectives, financial situation and individual needs.
Max is a European based crypto specialist, marketer, and all-around writer. He brings an original and practical approach for timeless blockchain knowledge such as: in-depth guides on crypto 101, blockchain analysis, dApp reviews, and DeFi risk management. Max also wrote for news outlets, saas entrepreneurs, crypto exchanges, fintech B2B agencies, Metaverse game studios, trading coaches, and Web3 leaders like Enjin.
Your Genius Liquid Loans Knowledge Assistant