Safeheron Alert: Juno Unexpectedly Transferred $36 Million in Cryptocurrency to Wrong Wallet Address

By Safeheron Security Team

As Juno Network, the Cosmos-based blockchain passed the Proposal 21, most JUNO tokens from the wallet of a whale (large investor) are supposed to be sent to a “Unity” address controlled by the Juno community.

*Proposal 21: Plan to rewrite Juno distributed ledger for upgrade, to relocate the confiscated funds from a placeholder address to the Unity smart contract. (supported by 97.55%)

However, the person who is in charge of the transfer, Asano, wrongly copied the receiving address, so that the funds were sent to an address, to which nobody – neither Asano nor the Juno community – has access. What makes it worse is that of Juno’s more than 120 validators, not one appeared to notice that the Unity address was pasted incorrectly.

Safeheron Analysis

This accident shows 2 risks:

1. The operator has too much permission which can cause the single point of failure ；

2. NO approval on receiving address so that the funds were sent to an erroneous address, no one has access to；

3. No multi-people approval on transfer operation。

Safeheron Suggestion

1. The single point of failure on the private key shall be eliminated by MultiSig;

2. Pre-approve the target address & whitelisting it；

3. Enhance security governance so that all crucial operations are not executed by one person. Multi-people operation or multi-people approval & verification are needed.