HomeResourcesBlogStacks (STX) Network Bug Allowed User to Gain More Than $453k Worth of Bitcoin In 2 Weeks

Stacks (STX) Network Bug Allowed User to Gain More Than $453k Worth of Bitcoin In 2 Weeks

A crypto user stumbled upon a bug in a smart contract within the Stacks (STX) network, which allowed him to gain an unusually high amount of rewards, approximately $453,105, in the form of Bitcoin (BTC) over just two weeks.

Stacks is a layer-2 solution that brings smart contract functionality to Bitcoin. It uses a consensus mechanism called Proof-of-Transfer (PoX), in which ‘Stacking’ rewards STX token holders with Bitcoin for providing consensus to the network by locking up their tokens for a certain time.

The bug occurred after an upgrade to the PoX smart contract, introducing a new function that allowed users to increase the amount of STX locked. This function had a flaw that caused the user’s STX backing their PoX address to be miscalculated, resulting in the user receiving a significantly higher amount of BTC rewards than intended.

PoX is an extension to Proof-of-burn models where miners compete by ‘burning’ (destroying) a proof-of-work cryptocurrency from an established blockchain as a proxy for computing resources. Unlike proof-of-burn, however, rather than burning the cryptocurrency, miners transfer the committed cryptocurrency to other participants in the network who are ‘Stacking’.

The Bitcoin transferred by miners is then used to provide Stacking rewards, paid in BTC to token holders for helping to ensure a stable network. ‘Stackers’ do this by locking up their tokens for a certain time and signaling the canonical chain tip.

What happened?

On April 18, 2023, A user in the official Stacks Discord channel reported that an address appeared to be erroneously gaining more rewards than what they should have been rewarded with.
Incident report on the official Stacks Discord server.
Incident report on the official Stacks Discord server.
The following day, after investigating this issue, the Stacks team announced that a bug had occurred in their PoX consensus mechanism’s smart contract, enabling a single user to obtain approximately half of the network’s rewards (Approximately 30 BTC) during a cycle.
The Stacks team announcement on their official website.

9 days later on April 28, 2023, the Stacks team released an update which approved two forks. The first fork would reset the PoX network state and disable Stacking temporarily while a further fix is developed. The second fork would introduce the new PoX (pox-3) contract, fixing the function causing the issue and reenabling PoX/Stacking.

How it Happened

On March 19 2023, the Stacks network upgraded to Stacks 2.1, which included changes to the PoX smart contract that handles Stacking, transitioning from PoX-1 to PoX-2.

Unfortunately, the new PoX-2 contract also introduced a bug, enabling one address to earn more BTC rewards than its allocated share of Stacking rewards associated with its reward slots. This amounted to approximately 50% of the total rewards of the entire network in that cycle. A stacking cycle is 2,100 Bitcoin blocks long, which is equivalent to approximately two weeks.

The address impacted by this bug had 2 reward slots out of a total 4000 reward slots, which should have yielded approximately 0.000038 BTC during that period. However, it yielded 15.475669 BTC (US $453,105) instead.

This bug stemmed from a newly-introduced function that allows a user to increase the amount of STX locked while the account already has locked STX. The new ‘stack-increase’ function invokes an internal function ‘increase-reward-cycle-entry’ to update the PoX contract’s data space to record the increase.

The bug caused any user who increased their total STX locked, to erroneously set the amount of STX backing their PoX address to match the current total number of STX locked by all users in that cycle, rather than the sum of their current locked STX amount and the additional amount they added.

The QLUETM graphs above indicate when the bug first happened, displaying how the user’s BTC holdings increased exponentially over the course of 2 weeks.

Closing Remarks

Bugs in consensus mechanisms can have drastic effects on any blockchain.

The Stacks (STX) token lost approximately a quarter of its value in the two weeks following the discovery of this bug.

This bug, if it had not been noticed and fixed promptly, and if it had been triggered enough times, it could have made the network experience a catastrophic failure, and crash entirely.

Similar issues exist in the crypto space, hence emphasizing the need for compliance, risk management as well as consumer protection.

Blockchain Intelligence Group builds technology to power compliance and intelligence for the blockchain-centric future. The company is trusted globally by banks, crypto companies, law enforcement, fintechs, regtechs and governments.

It offers a variety of tools for investigating criminal activity, transaction monitoring, risk management and due diligence for cryptocurrency and digital assets.

Blockchain Intelligence Group offers a compliance ecosystem to support your business: Address Watch, Block Explorer, Enhanced Due Diligence Reports, Case Management, Extended View which includes Exposure, Balance Over Time, Activity and more.

BitRank Verified® monitors and flags suspicious cryptocurrency transactions. Stay compliant. Get real-time transaction scoring. Clear low-risk transactions and flag high-risk ones. Quickly analyze transactions and addresses with easy-to-understand risk ratings that includes detailed flagging such as mixing, child exploitation, terrorism financing, sanctions, and more. Automate filing SARs and ExDD reports.

For more information, contact: [email protected]

Ehab Elnabarawy

Written By: Ehab Elnabarawy
Research & Development Engineer


  • Solutions
  • Training
  • Resources
  • Support