Typo Moves $36M in Seized JUNO Tokens to Wrong Wallet

The Cosmos-based Juno blockchain continues to serve as a case study for the trials and travails of on-chain governance.

An unprecedented community vote last week was supposed to seize millions of dollars’ worth of JUNO tokens from the wallet of a whale (large investor) accused of gaming a community airdrop. Rather than send the funds to an address controlled by the Juno community, as originally planned, a programming mix-up sent the funds to the wrong address on Wednesday.

Read more: Juno Blockchain Community Officially Votes to Revoke Whale’s Tokens

The promise of blockchain-based governance is that the will of a community is directly codified on-chain. In a world where “code is law,” a simple community vote should have been enough to move tokens from one specific blockchain address to another.

And yet, the failure of several human-controlled safeguards this week shows how code-centric governance has yet to live up to its heady promise.

Juno Proposal 20, which passed with overwhelming community support last week, revoked tokens from Takumi Asano, a Japanese investor accused of gaming the Juno airdrop to the tune of $120 million in February. It was the first major example to date of a blockchain community voting to alter the token balance of a single user accused of acting maliciously.

According to the community vote, Asano ran an exchange service that should have rendered his wallets ineligible for the so-called Juno “stakedrop,” which gave JUNO tokens to stakers on the Cosmos Hub blockchain.

After a delay of a few days, last week’s vote was supposed to automatically run code moving the “gamed” funds – now worth around $36 million – from Asano’s wallet into a “Unity” address controlled by the Juno community.

Things didn’t go as planned.

When the code was executed on Wednesday, a programming error ended up moving 3 million revoked JUNO tokens to an erroneous address on the blockchain where nobody – neither Asano nor the Juno community – has access.

Andrea Di Michele, a member of Juno’s “Core-1” founding developer team who goes by “Dimi,” told CoinDesk that the fudged transfer came as the result of a copy-paste error.

“When I gave the [Proposal 20] developers the address of the [Unity] smart contract, I pasted the address of the smart contract and just underneath put the transaction hash. But I didn’t write ‘the transaction hash is this,’ I just put the transaction hash,” Dimi explained.

According to Dimi, developers accidentally copied the transaction hash – which looked similar to the wallet address – rather than the address itself. As a result, the seized funds ended up moving to a crevice of the Juno blockchain where nobody has access.

Validators who deploy nodes to run proof-of-stake blockchains like Juno are theoretically responsible for conducting due diligence about on-chain upgrades like the one that came with Proposal 20. It is this disintermediated community of validators – not any specific developer – which is responsible for issuing blocks, securing the network and processing upgrades in a “decentralized” manner.

Of Juno’s more than 120 validators, not one appeared to notice that the Unity address was pasted incorrectly.

Daniel Hwang, head of protocols at stakefish, one of Juno’s validators, summed up his thoughts in a message to CoinDesk: “We f**ked up big time.”

Rather than the programmers who pasted the wrong address into the Proposal 20 code, Hwang said this week’s events were “more the fault of the validators” who ultimately executed that code.

“Devs can mess up … but at the end of the day there should be trust assumptions that cannot be relied on,” Hwang said. “Validators should have due diligenced for ourselves to actually check the code we’re executing and running.”

The whale’s response? “LoL.”

Juno’s core developer team and the chain’s community are still intent on moving Asano’s funds into the community-controlled Unity contract rather than “burning” them unintentionally as Asano says might happen. (Asano previously told CoinDesk he will sue Juno’s validators should his funds get discarded rather than go to his supposed “investors.”)

As of now, the plan is to move the funds to the Unity address via an already planned upgrade to the blockchain. Instead of simply making code improvements, this upgrade will now rewrite Juno’s ledger so that the stranded funds are reassigned to Unity.

A vaguely worded governance proposal to green-light the upgrade, Proposal 21, includes lines that say the upgrade “[f]inalizes the Unity proposal fund transfer” and “[r]elocates the funds from a placeholder address to the Unity smart contract.”

Proposal 21 looks on track to pass, and it’s hard to imagine validators, developers and Asano won’t be triple-checking the code this time around.

While Juno has attracted significant support from the Cosmos blockchain community, this is just the latest in a series of setbacks for the project.

After a community vote first moved to revoke Asano’s tokens in March, a mysterious smart contract attack pulled the chain offline for several days in April. Over the past two months, the JUNO token price has declined from a high of around $40 to about $10, which is where it sits today.

CORRECTION (May 5, 19:01 UTC): This article has been corrected to reflect that Juno was not the first Cosmos-based chain with permissionless smart contract deployment.