Safeheron Alert: Juno Unexpectedly Transferred $36 Million in Cryptocurrency to Wrong Wallet Address
By Safeheron Security Team
As Juno Network, the Cosmos-based blockchain passed the Proposal 21, most JUNO tokens from the wallet of a whale (large investor) are supposed to be sent to a “Unity” address controlled by the Juno community.
*Proposal 21: Plan to rewrite Juno distributed ledger for upgrade, to relocate the confiscated funds from a placeholder address to the Unity smart contract. (supported by 97.55%)
However, the person who is in charge of the transfer, Asano, wrongly copied the receiving address, so that the funds were sent to an address, to which nobody – neither Asano nor the Juno community – has access. What makes it worse is that of Juno’s more than 120 validators, not one appeared to notice that the Unity address was pasted incorrectly.
This accident shows 2 risks:
- 1.The operator has too much permission which can cause the single point of failure ；
- 2.NO approval on receiving address so that the funds were sent to an erroneous address, no one has access to；
- 3.No multi-people approval on transfer operation。
- 1.The single point of failure on the private key shall be eliminated by MultiSig;
- 2.Pre-approve the target address & whitelisting it；
- 3.Enhance security governance so that all crucial operations are not executed by one person. Multi-people operation or multi-people approval & verification are needed.