Juno Token $36M Typo Debacle

The copy-paste blunder that sent $36M in seized JUNO tokens to an unlinkable address has thrown the Ethereum community into a tizzy. Developers, validators, and token holders are all struggling to figure out who is to blame for the mistake.

The Juno blockchain, which is based on the Cosmos network, continues to serve as a cautionary tale for on-chain governance. Last week’s unanimous community vote was meant to plunder millions of dollars’ worth of JUNO tokens from a whale (large investor) accused of gaming a community airdrop. Instead of sending the money to an address that could be linked to the JUNO team, the vote sent it to an unspendable address on the Ethereum network.

This “accidental” distribution of JUNO tokens has caused a lot of hand-wringing within the Ethereum community. Some claim that this is proof that on-chain governance is a recipe for disaster.

The promise of blockchain-based governance is that the will of a community is directly codified on the blockchain. In a world where “code is law,” moving assets from one specific address to another should have been as simple as casting a community vote. And yet, this week’s failures of numerous human-controlled safeguards show how code-centric governance has its own share of issues. The JUNO incident is a reminder that, as with any other system, blockchain-based governance is only as good as the people who design, build, and operate it.

The community voted to remove tokens from Takumi Asano, a Japanese investor accused of gaming the Juno airdrop by over $120 million in February, in Juno Proposal 20, which was passed on Thursday. It was the first major example yet of a blockchain network voting to change the token balance of a single user who has been accused of malicious activity. The proposal, made by JUNO’s community governance group called the Genesis DAO, passed with over 90% of the vote.

Asano had been accused by the JUNO community of participating in what’s known as an “airdrop farming” scheme. The process involves setting up multiple wallets with different addresses and using them to claim airdrops—free token giveaways that often happen when a new project launches on the Ethereum blockchain. The JUNO team had initially proposed to blacklist Asano’s addresses, which would have rendered his tokens unusable.

According to the community vote, Asano ran an exchange service that should have rendered his wallets ineligible for the so-called Juno “stakedrop,” which gave JUNO tokens to stakers on the Cosmos Hub blockchain. After a delay of a few days, last week’s vote was supposed to automatically run code moving the “gamed” funds – now worth around $36 million – from Asano’s wallet into a “Unity” address controlled by the Juno community.

Things didn’t turn out as expected. When the code was run on Wednesday, a programming mistake resulted in 3 million revoked JUNO tokens being sent to an incorrect address on the blockchain, where no one – neither Asano nor the Juno community – had access. According to Andrea Di Michele, a member of Juno’s “Core-1” founding developer team who goes by “Dimi,” the fudged transfer resulted from a copy-paste mistake. “When I provided the [Proposal 20] developers with the smart contract address, I pasted the address of the smart contract and simply wrote ‘Etherscan’ next to it without noticing,” says Di Michele.

Advertisement

The JUNO team is currently working on a fix that would enable them to retrieve the tokens and send them to the correct address. In the meantime, they have asked exchanges to halt trading of JUNO tokens. Developers, according to Dimi, copied the transaction hash instead of the address; as a result, the seized funds landed in a crack in the Juno blockchain where no one has access.It is theoretically up to Validators who run proof-of-stake blockchains like Juno to conduct thorough research on on-chain upgrades, such as the one that came with Proposal 20. It’s not any one developer – it’s the entire disintermediated community of validators – that is in charge of generating blocks, securing the network and ultimately deciding which transactions get included.

As such, one would hope that the JUNO community would have thoroughly vetted the code before it was put to a vote. That does not appear to be the case.It is unclear how long JUNO will be offline while the team works on a fix. Not one of Juno’s more than 120 validators appears to have noticed that the Unity address was copied incorrectly. “We made a huge mistake,” said Daniel Hwang, head of protocols at stakefish, one of Juno’s validators. “The fault is much more on the validators who actually carried out the code.

“Developers may make mistakes… but at the end of the day, there should be trust assumptions that can’t be trusted,” Hwang added. “Validationists should have due diligence in verifying the code we’re executing and running ourselves.” The core developer team and the network’s community are still determined on moving Asano’s cash to the community-controlled Unity contract rather than “burning” them inadvertently, as he warns may happen. (Asano has threatened to sue Juno’s validators if his funds are tossed away instead of going to his supposed “investors.”) The goal is to have a nice public relations event where JUNO’s token holders who were burned in the great JUNO $36 million blunder can see their money flow back into the community-controlled fund. Proposal 21, which is vague in terms of governance and aims to green-light the upgrade, contains lines that say the upgrade “[f]inalizes the Unity proposal fund transfer” and “[r]elocates the funds from a placeholder address to the Unity smart contract.” It appears that Proposal 21 will send the 3 million JUNO tokens to the correct address this time.

The JUNO team is also working on a long-term solution that would make it impossible for future Asanos to game the system. They are planning to upgrade JUNO’s staking mechanism so that a minimum amount of JUNO tokens – 1% of the total JUNO supply, or about 1.2 million JUNO tokens – is required to activate a validator node. This would make it impossible for any one person to control a majority of the network’s staking power.