The Cosmos-based Juno blockchain continues to serve as a case study in the trials and travails of on-chain governance.
An unprecedented community vote last week was to seize millions of dollars worth of JUNO tokens from the wallet of a whale (major investor) accused of manipulating a community airdrop. Instead of sending the funds to an address controlled by the Juno community, as originally planned, the funds were sent to the wrong address on Wednesday due to a programming error.
The promise of blockchain-based governance is that the will of a community is codified directly on the chain. In a world where "code is law," a simple community vote should have been enough to move tokens from one particular blockchain address to another.
And yet, the failure of several human-driven security measures this week shows that code-centric governance has yet to deliver on its heady promise.
Juno and the whale
Juno Proposal 20, passed last week with overwhelming community support, revoked the tokens of Takumi Asano, a Japanese investor accused of bilking $120 million out of the Juno airdrop in February. It was the first major example of the blockchain community voting to change the token balance of an individual user accused of acting maliciously.
According to the community vote, Asano was running an exchange service to make his wallets ineligible for the so-called "Juno Stakedrop," in which JUNO tokens were awarded to stakers on the Cosmos Hub blockchain.
After a delay of a few days, last week's vote was supposed to automatically run code that would move the "gamed" funds - now worth about $36 million - from Asano's wallet to a "Unity" address controlled by the Juno community.
Things didn't go as planned, however.
When the code was executed on Wednesday, a programming error resulted in 3 million revoked JUNO tokens being moved to an incorrect address on the blockchain that no one - neither Asano nor the Juno community - has access to.
Proposition 20: A copy of the pasta
Andrea Di Michele, a member of Juno's "Core-1" founding team who goes by "Dimi," told CoinDesk that the fake transfer was the result of a copy-paste error.
"When I gave the [Proposal 20] developers the address of the [Unity] smart contract, I pasted the address of the smart contract and put the transaction hash below it. But I didn't write 'the transaction hash is this,' I just inserted the transaction hash," Dimi explained.
According to Dimi, the developers accidentally copied the transaction hash, which looked similar to the wallet address, and not the address itself. As a result, the seized funds ended up in a crevice of the Juno blockchain that no one has access to.
Who's to blame.
Validators who provide nodes for running proof-of-stake blockchains like Juno are theoretically responsible for performing due diligence on on-chain upgrades like the one that came with Proposition 20. It is this intermediary community of validators - not a particular developer - that is responsible for issuing blocks, securing the network, and processing upgrades in a "decentralized" manner.
Of Juno's 120-plus validators, none seemed to notice that the Unity address was inserted incorrectly.
Daniel Hwang, head of protocols at stakefish, one of Juno's validators, summed up his thoughts in a message to CoinDesk: "We f**ked up big time."
Rather than the programmers who inserted the wrong address into Proposal 20's code, Hwang said this week's events are "more the fault of the validators" who ultimately ran the code.
"Developers can make mistakes ... but at the end of the day, you should rely on assumptions that you can't rely on," Hwang said. "Validators should do due diligence for ourselves to actually check the code we run."
So what's next for Juno?
The whale's answer? "LoL.
Juno's core development team and the chain's community are still eager to move Asano's funds into the community-controlled Unity contract, rather than unintentionally "burning" them, as Asano says. (Asano has already told CoinDesk that he will sue Juno's validators if his funds are thrown away rather than going to his alleged "investors.")
Right now, the plan is to move the funds to the Unity address via an already planned upgrade to the blockchain. Rather than simply making code improvements, this upgrade will now rewrite Juno's ledger so that the stranded funds are assigned to Unity.
A vaguely worded proposal to approve the upgrade, Proposal 21, includes lines stating that the upgrade "implements Unity's proposal for transferring funds" and "moves funds from a placeholder address to the Unity smart contract."
It looks like Proposal 21 will be adopted, and it's hard to imagine that validators, developers, and Asano won't triple-check the code this time.
Another obstacle in the way
Although Juno has strong support from the Cosmos blockchain community, this is just the latest in a series of setbacks for the project.
After a community vote in March led to Asano's tokens being revoked, a mysterious smart contract attack crippled the chain for several days in April. Over the past two months, the price of the JUNO token has fallen from a high of about $40 to about $10, where it is today.
CORRECTION (May 5, 19:01 UTC): This article has been corrected to state that Juno was not the first Cosmos-based chain to use permissionless smart contracts.