What is XLM?
XLM (Lumens) is the native cryptocurrency of the Stellar network, an open-source, decentralized protocol launched in 2014 by Ripple co-founder Jed McCaleb. Originally designed to facilitate fast, low-cost cross-border payments and connect unbanked populations to the global financial system, Stellar operates on a unique consensus mechanism known as the Stellar Consensus Protocol (SCP).
By March 2026, Stellar has successfully transformed from a purely payment-focused rail into a comprehensive, enterprise-grade financial infrastructure. Driven by the maturation of its Soroban smart contract platform and a massive surge in tokenized Real-World Assets (RWAs), Stellar has become the preferred settlement layer for traditional finance institutions like Franklin Templeton, U.S. Bank, and MoneyGram.
Risks Associated to the Digital Asset
Market Volatility & Competition Risk: XLM remains subject to broader cryptocurrency market volatility. Furthermore, it operates in a highly competitive sector, battling against Ripple (XRP), Solana, and various Ethereum Layer-2s for dominance in the cross-border payment and RWA tokenization markets. Any loss of institutional market share to these competitors could heavily impact XLM’s valuation.
Smart Contract Execution Risk: The introduction of the Soroban smart contract platform dramatically expanded Stellar's capabilities but also its attack surface. In late January 2026, the CVE-2026-24889 vulnerability was disclosed in the Soroban Rust SDK, highlighting arithmetic overflow risks that could potentially corrupt contract states. While quickly patched, it underscored the inherent risks of executing complex DeFi logic on the network.
Regulatory & Compliance Risk: Stellar is heavily reliant on traditional financial partnerships. Therefore, it is deeply exposed to shifting global regulations regarding stablecoins and cross-border digital payments. While Stellar has proactively introduced compliance-friendly privacy features, changing regulatory frameworks in the U.S. or EU could stall enterprise adoption.
Trading History of Digital Asset
Market Capitalization & Institutional Liquidity: In March 2026, XLM maintains a market capitalization of approximately $5.82 billion, securing its place among the top 20–30 global digital assets. The recent February 2026 debut of Stellar (XLM) futures on the CME Group has introduced a new layer of regulated institutional liquidity, with daily trading volumes frequently exceeding $100 million to $189 million.
Please refer to this external link for XLM Historical Data.
Incidents of Manipulation or Security Failures
Stellar (XLM) operates as an open-source, decentralized payment rail and smart contract platform optimized for the issuance and transfer of digital representations of fiat currencies and Real-World Assets (RWAs).
NBXNetwork Architecture & Consensus (SCP)
Stellar Consensus Protocol (SCP): Unlike Proof-of-Work (Bitcoin) or Proof-of-Stake (Ethereum), Stellar uses a Federated Byzantine Agreement (FBA) model. The network relies on a decentralized web of nodes that choose which other nodes to trust, forming overlapping "quorum slices." Consensus is reached when these quorums agree on the state of the ledger, allowing for rapid transaction finality in 3 to 5 seconds without energy-intensive mining or capital-intensive staking.
Source: PhemexNode Topology: The network is sustained by different tiers of nodes. Watcher nodes submit transactions and query data (often utilizing the highly efficient Stellar RPC architecture rolled out in 2025), while Validator nodes actively participate in the SCP to propose and vote on ledger states.
Anti-Spam & Base Reserves: To prevent ledger bloat, the network enforces strict operational requirements. Every account must maintain a minimum base reserve of 0.5 XLM. Additionally, a small reserve is required for every "Trustline" or active DEX offer, ensuring that only economically meaningful data occupies network storage and preventing bad actors from spamming the system.
Incidences of Manipulation or Security Failures: The core Stellar protocol maintains an exceptional security record, with 99.99% uptime over its 12-year history and zero successful 51% attacks. However, the operational risk profile shifted with the introduction of Turing-complete smart contracts:
Soroban SDK Vulnerability: In late January 2026, security researchers disclosed CVE-2026-24889 within the Soroban Rust SDK. The vulnerability involved potential arithmetic overflows that could have corrupted specific contract states during extreme network congestion. The Stellar Development Foundation (SDF) coordinated a rapid validator patch before any malicious exploitation occurred, serving as a wake-up call regarding the execution risks of complex DeFi logic.
Airdrop Scams & Phishing: Because creating tokens on Stellar is virtually free, the network has historically been plagued by "claimable balance" spam and fake airdrops. To combat this, major Stellar wallets (like Lobstr and Freighter) natively integrated Blockaid security scanning in 2025, which operationally flags malicious dApps and prevents users from signing wallet-draining transactions.
Institutional Asset Integrity: The network's primary operational defense against manipulation for institutional assets (like USDC or Franklin Templeton's BENJI) is the Trustline architecture. Users cannot be forcibly sent an asset; they must explicitly opt-in by signing a Trustline transaction. This prevents compliance headaches for regulated entities managing strict KYC/AML blacklists.
Token Ownership Concentration
Stellar’s tokenomics were heavily restructured in 2019 when the foundation famously burned half of the total supply.
Maximum Supply: Strictly capped at 50,000,000,000 (50 billion) XLM. There is no inflation; the community voted to permanently disable the protocol’s 1% annual inflation mechanism in late 2019.
Circulating Supply: As of March 2026, approximately 33 billion XLM (66%) is in circulation.
SDF Treasury: The remaining tokens (~17 billion) are held by the Stellar Development Foundation (SDF). These are not strictly "locked" by smart contracts but are distributed via a transparent, multi-year mandate to fund enterprise grants, network development, and ecosystem investments.
Please refer to this external link to view XLM’s top token holders.
Security Audits
Stellar operates a proprietary Layer-1 public network utilizing the highly unique Stellar Consensus Protocol (SCP), a construction of the Federated Byzantine Agreement (FBA) model in which individual validators independently select their own trusted quorum slices rather than relying on computational power or staked capital to achieve consensus. Because the network relies on quorum intersection across decentralized validator slices to achieve deterministic finality without resorting to traditional Proof of Work or Proof of Stake mechanisms, top-tier blockchain security firms and academic researchers continuously evaluate the core mathematical proofs underpinning SCP.
Protocol-Level Security Architecture
Stellar's technical security is anchored in rigorous evaluation of unique consensus mechanisms:
Federated Byzantine Agreement (FBA) Model:
Individual validators select independent trusted quorum slices;
Does not rely on computational power or staked capital;
Achieves deterministic finality through quorum intersection;
Evaluated by top-tier security firms and academic researchers;
Mathematical proofs audited at protocol level.
Protocol-Level Audits:
Meticulously analyze network validator infrastructure;
Verify quorum intersection logic;
Evaluate core consensus module;
Ensure mathematical resilience against malicious node collusion;
Protection against denial-of-service attacks;
Defense against consensus manipulation;
Validated for massive global payment volumes.
Soroban Smart Contract Platform
Stellar powers a rapidly expanding ecosystem through the launch of its Soroban smart contract platform:
Smart Contract Architecture:
Written in Rust;
Compiled to WebAssembly (WASM);
Executed in WASM environment;
Enables complex application layer functionality;
Supports cross-border payments, tokenized real-world assets, and DeFi.
Auditor Network and Soroban Audit Bank:
Confirmed Specialist Auditors:
OtterSec;
Veridise;
Runtime Verification;
CoinFabrik;
Quarkslab;
Coinspect;
Certora.
Status: All serve as approved partners under Stellar Development Foundation's Soroban Security Audit Bank.
Certora Formal Verification Partnership:
Engaged October 2023;
Develops Soroban-compatible formal verification tooling;
Conducts mathematical proof-level security checks;
Validates smart contract runtime security;
Provides highest-level cryptographic assurance.
Audit Scope Coverage:
WASM execution environment evaluation;
Asset issuance infrastructure;
Individual smart contract logic;
Prevention of catastrophic minting exploits;
Defense against liquidity drains.
Soroban Security Audit Bank Program
The Stellar Development Foundation launched the Soroban Security Audit Bank in March 2024 with expanding scope:
Program Evolution:
Initial Launch (March 2024):
Budget: Up to $1,000,000 in audit credits;
Target: 20–30 high-priority projects;
Demonstrates commitment to ecosystem security.
Current Status (May 2025):
Deployed: Over $3,000,000 across audits;
Funded projects: More than 40;
Remediation rate: 93% for critical, high, and medium severity findings;
Zero major post-launch exploits among completed participants;
Demonstrates highly effective security framework.
Milestone-Based Follow-Up Audits:
Complimentary follow-up audits as projects grow;
Formal Certora verification triggered at $10,000,000 TVL milestone;
Additional Certora verification at $100,000,000 TVL milestone;
Ensures continuous security as ecosystem scales;
Supports institutional-grade oversight.
Audit Success Metrics:
93% remediation rate across all findings;
No major exploits among Audit Bank graduates;
Demonstrates preventative effectiveness;
Validates pre-launch security model.
Bug Bounty Programs
The Stellar Development Foundation maintains multiple bug bounty programs:
Primary Immunefi Program:
Reward Structure:
Minimum reward: $50,000;
Maximum reward: $250,000 for critical Blockchain/DLT vulnerabilities;
Structured reward framework reflecting vulnerability severity;
Demonstrates significant commitment to security.
Program Requirements:
Proof of Concept required;
KYC verification required from all claimants;
Processing only after verification completion;
Ensures accountability and legitimacy of claims.
Scope:
Core Stellar network;
Associated infrastructure;
Continuous incentivization of global white-hat researchers;
Coverage across entire ecosystem.
OpenZeppelin on Stellar Program:
Dedicated Security Coverage:
Separate Immunefi program dedicated to OpenZeppelin standards;
Total pool: $250,000 (up to $25,000 per finding);
Covers OpenZeppelin smart contract standards deployed on Stellar;
Specialized security coverage for developer standards.
This comprehensive, multi-layered security posture — encompassing the Stellar Consensus Protocol with Federated Byzantine Agreement model audited by top-tier security firms and academic researchers, Soroban smart contract platform with seven approved specialist auditors, Certora formal verification partnership developing proof-level security checks, a Soroban Security Audit Bank deploying $3,000,000+ across 40+ projects with 93% remediation rate and zero major post-launch exploits, milestone-based follow-up Certora audits at $10M and $100M TVL thresholds, and dual bug bounty programs ($250,000 primary + $250,000 OpenZeppelin pool) — provides a robust security framework for a federated consensus Layer-1 supporting global payments, real-world asset tokenization, and decentralized applications.
Sources:
The information provided here is presented "as is" and is intended for general informational and educational purposes only. It does not come with any representation or warranty of any kind. This content should not be interpreted as financial, legal, or other professional advice, and it is not intended to endorse or recommend the purchase of any specific product or service. It is advisable to consult with appropriate professional advisors for personalized guidance. In cases where the article is contributed by a third-party author, please note that the expressed views belong to the author alone and may not necessarily reflect the opinions of Hata. For further details, we encourage you to read our complete disclaimer. Please be aware that the prices of digital assets can be highly volatile. The value of your investment may increase or decrease, and there is a risk that you may not recover the full amount invested. You are solely responsible for making your own investment decisions, and Hata cannot be held liable for any losses you may incur. This material is not to be construed as financial, legal, or other professional advice. For more information, please refer to Hata’s Term of Use and Risk Warning.