Cut-And-Paste Error Destroys $36M in Crypto, Eroding Trust in Blockchain

Juno, blockchain

How hard do you have to work to permanently lose $36 million in a single transaction?

Well, let’s ask another question first: Have you ever pasted the wrong URL into a document when trying to insert a link to a website?

In crypto, a careless cut-and-paste mistake is all it takes.

As blockchain transactions are immutable, meaning irreversible, and users are pseudonymous — you know the address of their wallet but not their identity — getting your funds back requires the goodwill of whoever’s on the receiving end, if you can even contact them. If they’re actually human.

The developers of the Juno blockchain found that out the hard way on Wednesday (May 4), when one of its developers sent a slightly unclear message.

Check Twice

“I pasted the address of the [digital wallet] and just underneath put the transaction hash,” Andrea Di Michele, a member of Juno’s “Core-1” founding developer team, told CoinDesk, referring to a long string of letters and numbers that helps locate a transaction after it is added to a blockchain.

“But I didn’t write ‘the transaction hash is this,’” Di Michele explained. “I just put the transaction hash.”

Unfortunately, that hash looks a lot like the address of a digital wallet. Worse still, ownership of that cache of cryptocurrency is in dispute and may be the subject of a lawsuit — and has declined substantially in value, likely as a result of the error.

Along the way, the situation calls the suitability of blockchain as a payments rail into question.

See also: DeFi’s Achilles’ Heel on Display: Vote Could Take $100M in Crypto from an Investor

That was about six weeks ago. On Wednesday (May 4), someone else on the developer team, assigned to move the 3.1 million JUNO tokens in question, copied the transaction hash instead of the address of the wallet where it was supposed to be sent, pasted it into the destination line and pressed send.

And that’s it. The funds were sent, in CoinDesk’s words, “to a crevice of the Juno blockchain where nobody has access.”

Who Are You?

This is a bad enough example of blockchain’s shortcomings as a way to make payments.

While sending a payment to the wrong person gets a lot more reversible if their digital wallet is connected to an exchange or other entity that collected know-your-customer (KYC) data, that’s a mighty big “if” at this point.

Private wallets aren’t required to collect or give out KYC data, although the Treasury Department briefly worked on such a law in 2020, and crypto-skeptical Sen. Elizabeth Warren, D-Mass., resurrected it in March. That same month, the authors of the EU’s Markets in Crypto Assets (MICA) — currently working its way towards a finalized version — at least considered the same thing, even though it would be very hard to enforce.

Related news: Warren Resurrects Calls for KYC Data from Private Crypto Wallets

You may like: With AML Proposal, ECB Gives Digital Euro Leg up on Bitcoin Payments

However, such a law wouldn’t help in a situation where the transaction was sent to a black hole address.

But Wait: There’s More

But let’s get back to that legal dispute, which is in some ways an even bigger potential problem for blockchain-based transactions of any kind.

Briefly, the dispute went like this: The developers “airdropped” — gave away — a bunch of tokens to people who supported it early by buying its tokens. But a Japanese investor who later identified himself as Takumi Asano had 50 wallets collecting separate airdrops, as the Juno community learned after he consolidated all of the new JUNO tokens into a single wallet.

Accusations of cheating by gaming the system followed. An uproar ensued, and the JUNO community did something that was essentially unprecedented, as well as potentially destructive to the trust in any blockchain’s immutability, not just Juno.

They voted to fork the blockchain — essentially rewriting history — in order to take away 49 wallets worth of tokens from Asano. (For more on the mechanism by which this was done, see the link below.)

More here: PYMNTS Crypto Basics Series: What’s a Consensus Mechanism and Why Is It Destroying the Planet?

Asano, who claims he was acting on behalf of investors, wants his crypto back and has threatened to sue the validators of the blockchain personally if the JUNO tokens are not returned.

Double Trouble

Now, there are two problems.

First, the community voted to seize someone’s property without any legal due process.

The core of blockchain’s success is that it was a way to allow “trustless” transactions, meaning ones in which neither party had to trust each other or a central authority, such as a bank. It’s how bitcoin solved the double spend problem.

See here: PYMNTS Crypto Basics Series: What’s a Blockchain and How Does It Work?

Now, not only is there a central authority — the token holders who have governance control of the decentralized blockchain — but there is also an example of them wielding power capriciously. This takes the trust vital to transactions away. Additionally, the Juno developers are looking at a second fork to return the lost crypto.

As Asano pointed out on Twitter, there’s a likely reason the $100 million worth of JUNO is now worth $36 million.

Second, Asano has threatened to sue the validators who secure the proof-of-stake blockchain (see the Consensus Mechanism link above) by competing to gather transactions into blocks, check their validity and then, if they all agree, write the new block onto the blockchain. They run nodes — the distributed servers holding full copies of the blockchain — in exchange for rewards of newly minted tokens and transaction fees.

If they can be successfully sued, and found personally liable for transactions made on the blockchain, the validators’ position gets very, very risky. And without validators who replace the energy-draining, pollution-spewing miners who validate Bitcoin transactions, proof-of-stake blockchains don’t work.

As for suing the token holders who voted for the seizure, there were about 69,000 of them all over the world, and all pseudonymous.

As a coda, Juno validator Daniel Hwang told CoinDesk that the misaddressed transaction was “more the fault of the validators” who ultimately executed that code than the developer who cut and pasted the wrong string of numbers and letters.

“Devs can mess up … but at the end of the day there should be trust assumptions that cannot be relied on,” Hwang said. “Validators should have due diligence for ourselves to actually check the code we’re executing and running.”