Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
IT Technology

A Typo Sent $36 Million of Crypto Into the Ether (cnet.com) 141

An anonymous reader shares a report: One of the key selling points of the blockchain is that it's immutable: Once data is processed, once a transaction occurs, it can't be undone. One of the most painful downsides to the blockchain? It's immutable. If human error causes something to be sold for the wrong price or money to be sent to the wrong place, reversing it can be difficult or even impossible. That is the unfortunate place developers of the Juno cryptocurrency find themselves. A community vote had decreed that around 3 million Juno tokens, worth around $36 million, be seized from an investor deemed to have acquired the tokens via malicious means. (This in itself was a big crypto news story.) The funds were to be sent to a wallet controlled by Juno token holders, who could vote on how it would be spent.

But a developer inadvertently copy and pasted the wrong wallet address, as reported by CoinDesk, leading to $36 million in crypto being sent to an inaccessible address. Andrea Di Michele, one of Juno's founding developers, explained to the publication that he sent the correct wallet address to the developer responsible for the transfer, as well as a hash number. Hashes connect blocks to one another in the blockchain, and at a glance hash numbers can look very similar to wallet addresses. The programmer in charge for the transfer accidentally copied and pasted the hash number, rather than the wallet address.

This discussion has been archived. No new comments can be posted.

A Typo Sent $36 Million of Crypto Into the Ether

Comments Filter:
  • Comment removed (Score:5, Interesting)

    by account_deleted ( 4530225 ) on Friday May 06, 2022 @10:24AM (#62509318)
    Comment removed based on user account deletion
    • by jmak ( 409787 ) on Friday May 06, 2022 @10:41AM (#62509376)

      The wallet is effectively created by the first transaction that sends the money into it. However, if you used a random public key instead of creating a proper public+private pair, tough luck brute forcing the private key from the randomly chosen public one.

      • Comment removed based on user account deletion
      • The wallet is effectively created by the first transaction that sends the money into it. However, if you used a random public key instead of creating a proper public+private pair, tough luck brute forcing the private key from the randomly chosen public one.

        Yes that part is obvious, but what isn't obvious is how they "voted" to "sieze" money from a 3rd party. Unless that 3rd party was stupid enough to have his private key managed by someone else who was subject to this vote.

        And honestly given how every story I hear about bitcoin seems to be centered around the dumbest stupid people imaginable I wouldn't rule it out, but is there a technical thing I'm missing here?

      • If it is a high entropy hash, then odds are very good it has a small factor and is a very poor key. Brute forcing should not be hard.
      • Ah...so now it's an Easter egg hunt. Guess they just offered $36 million to break their own encryption system, at least once.

    • by thestobor ( 891237 ) on Friday May 06, 2022 @11:25AM (#62509578)
      last paragraph of TFA: "Funds will go to the correct address in one week or something, it's bad but can be solved easily," Di Michele he said to CNET. "Funds will be recovered with another upgrade that will adjust chain state. PoS chans are not like Bitcoin, they are governance powered. If governance says something, even state changes can happen."
      • Comment removed based on user account deletion
        • It's still a problem, just a much smaller one than was implied. It's silly that it takes even a week to sort out a problem like this. Perhaps there should be some form of address verification system so they can be sure that it was delivered somewhere.

    • by stikves ( 127823 )

      Yes.

      If you get 51% of the network on board, you can do anything you want with the ledger. That is part of the system.

      In the past when pools approached that magic number, miners moved away:
      https://www.coindesk.com/marke... [coindesk.com]
      I remember, in one case the pool itself took precaution.

      So, basically the headline is "nothing burger". The "fix" is already in there.

  • Comment removed (Score:5, Insightful)

    by account_deleted ( 4530225 ) on Friday May 06, 2022 @10:25AM (#62509322)
    Comment removed based on user account deletion
    • by ceoyoyo ( 59147 )

      Most money, crypto or otherwise, is held on ledgers, and has been for a loooong time. There was even an island tribe that used giant rocks collected from other islands as money. They obviously didn't carry them around with them but just recorded transactions, which was very handy when a boat carrying a bunch of the rocks sank. They just kept using them.

      Banks sometimes misplace money, or send it to the wrong place too. Double entry accounting helps a lot. Many cryptocurrencies are constructed so that such th

      • by NFN_NLN ( 633283 )

        > Banks sometimes misplace money, or send it to the wrong place too.

        You could undo a transaction of that nature.

        A better analogy would be:

        This is like the Spanish fleet transferring gold bricks from the Americas to Europe... and it just sank in the deepest part of the Atlantic Ocean. We know it's there and how much but we have no way of getting it... in this lifetime.

        • by ceoyoyo ( 59147 )

          Many cryptocurrencies are constructed so that such things are impossible.

          Although this one seems to be different. You can undo transactions, you just have to get a majority of internet crypto freaks to agree.

      • I'm no expert, but it seems like all cryptocurrencies are constructed with the express purpose of preventing what happened on the island of Yap. The entire point of cryptocurrency seems to be that a centralized authority, or any form of user consensus, cannot step in and overcome an unforeseen structural problem.
        • by ceoyoyo ( 59147 )

          I wasn't under the impression that the Yap stone currency was subject to a central authority. It seems like a fairly good analogy to cryptocurrencies: transactions are performed on an abstract ledger and represent trading of a scarce resource whose value is entirely a matter of group consensus.

          Bitcoin is designed so that the only authority that can perform a transaction is whoever holds the private key for the originating wallet. You can't even refuse a bitcoin transaction. Designed that way as far as is po

      • Most money, crypto or otherwise, is held on ledgers, and has been for a loooong time.

        Most money may be accounted for in ledgers, but it exists in a way that these legers are balanced. If you try to send money to a non-existent SWIFT account the transaction fails. If you try to send money a European IBAN and mistype a character the transaction won't even start since the account numbers themselves have mathematical checks for validity.

        On the flip side on crypto you can type in any nonsense and it will be happily committed to a ledger and locked away by the power of math.

        • by ceoyoyo ( 59147 )

          Double entry accounting helps a lot.

          It hasn't always, in all places, been done this way. It's pretty universal now because thousands of years of experience have taught us it's a good thing to do.

          Naturally when some dudes on the Internet design a new financial system purposely intended to break the old one, they toss most of that experience.

      • Comment removed based on user account deletion
    • Re: (Score:2, Offtopic)

      by geekmux ( 1040042 )

      If it was real money, it'd still exist in a form which could be located, identified and recovered.

      On average, a bank holds a mere fraction of its actual holdings on paper. If everyone wanted to go get their money right now, the shit-uation that would unfold at every major bank would show you how "real" anything is.

      Hard to lose $36 million? That doesn't even represent a rounding error in government spending bills. Incompetence can hide or lose $36 million. Corruption takes a hell of a lot more.

      • by Ed Tice ( 3732157 ) on Friday May 06, 2022 @12:06PM (#62509748)
        If everybody wanted to get their money, in cash, "right now," the banks wouldn't have enough cash in the vault. Especially in the case of branch banking where maybe there is plenty of cash in the vaults plural but not at one particular vault should an unusual number of people show up at that location. Most account agreements require notice for largish cash withdraws. Banks will sometimes waive that if they have the cash in the vault. If not, they will order it for you.

        In the case where there is a run on a bank, whether or not that causes a larger problem depends on whether the bank can convert assets to cash without taking large losses. In the current environment that's not so terribly difficult. Banks can sell mortgages to the US government and get a lot of cash quickly.

        The auto loans they've made are a bit harder. Credit card loans can't be sold quickly but banks also have access to the federal reserve's discount window and inter-bank loans.

        Large, publicly-traded banks, are pretty much immune to this. Even if their customers organized to all take their money simultaneously, unless that money ended up under mattresses, it would get deposited somewhere else and the "target" bank would just go borrow money from somewhere else. Of course other borrowing mechanisms are more expensive than taking deposits so it would hurt profits, but the bank wouldn't become insolvent.

    • by dbialac ( 320955 )
      Pablo Escobar would disagree. He burned millions to stay warm, and buried millions more which degraded underground.
  • by rsilvergun ( 571051 ) on Friday May 06, 2022 @10:34AM (#62509360)
    I mean, the point of crypto is to artificially constrain the supply so that the value goes up over time. Similar to how MMOs create money sinks to absorb the otherwise limitless currency they generate. This does that pretty well.
    • by msauve ( 701917 )
      Yep, what's more fair here than burning coins, so all current holders benefit equally?
    • the point of crypto is to artificially constrain the supply so that the value goes up over time
       
      I thought the point of crypto was money laundering and other criminal activities? There are also plenty of coins/tokens that don't have a supply limit. Dogecoin is one of them

      • There's also ponzi schemes and tax dodging. And wasting electricity and electronics.

        Why, there's a whole world of terrible uses for cryptocurrencies. I sure am glad the market is worth over $1.7 trillion. No way that'll ever bleed over into the larger financial markets and cause a massive recession. Nosiree.
      • HSBC has that covered already.

    • It will reduce demand because people don't want to put their hard-earned money at risk of vaporizing due to a simple mistake.
  • A "community vote" (Score:5, Insightful)

    by rsilvergun ( 571051 ) on Friday May 06, 2022 @10:42AM (#62509378)
    otherwise known as a 51% attack.

    I've been saying this for a while, but with the centralization of crypto around mining pools and exchanges it becomes possible to do a 51% attack.

    The mining pools have the means but not the motive. The exchanges bring the motive, since the exchanges interact with the broader financial markets and have an incentive to police them in a way that aligns with existing banking and finance law. Even if we all stop using fiat currency those social and political structures don't magically go away.

    So what happens when an exchange decides your money is stolen property? Well, if you store it in the exchange they just seize it. But if you keep it out of there, going peer to peer (and you can find anyone who'll take it from you, since the money is now permanently locked out of the exchanges) the exchanges can just go to the mining pools and say "make it so".

    Why would the mining pools do that? Well, they depend heavily on the exchanges to, well, exchange the currency their mining. Without the exchanges the pools don't have a reliable and safe place to offload their mined currency to. It's too difficult and risky to hand it out themselves. And remember, they still need cash to buy electricity, water and GPUs. Even if they can use crypto for that in the future they still need to use the "right" crypto, and many merchants would want to have an exchange in between them and someone else to protect them from taking "stolen" crypto currency.

    So the pools are locked into the exchanges, the exchanges are locked into banking and finance, and both are heavily centralized due to basic market realities (successful players expand and the back of their successes, buy out competitors, smaller ones go out of business or get bought, etc, etc).

    TL;DR; we've literally just recreated the banking system, with the Exchanges as the banks and the pools as the federal reserve, and a fuck ton of electricity and electronics being wasted.

    Good job there.
    • So, the potential for "distributed" corruption instead of centralized corruption. Nice... I hate it.
      • it didn't work. The market centralized like it always does. Tech couldn't stop basic market forces. Only solid regulation, updated as time change, does. That's why we have anti-trust laws.
    • I don't think this is a 51% attack issue. If it were then there would be zero reason they couldn't vote to recover the money.

    • by King_TJ ( 85913 )

      Yeah, good and valid point there!

      I think crypto is probably more about decentralizing things from a specific nation's government than about truly eliminating the concept that SOME entities will be able to exert some central control over it?

      Ultimately, I think the majority of people feel like stolen currency, whether in the form of crypto or in the form of a central government issued/backed version, is undesirable.

      The exchanges are only locked into the central government's established banking and finance sys

    • by Kaenneth ( 82978 )

      Won't happen, because Exchanges and Miners depend on their Crypto having value, it would be insane for them to destroy their own company to end up with nothing.

  • by xack ( 5304745 ) on Friday May 06, 2022 @10:44AM (#62509386)
    The entropy of the system means that eventually it will be all lost into the ether. If they could be recovered it means that the encryption is broken and the coins would be worthless anyway. It is all a game of musical chairs.
  • Shit Design. (Score:5, Insightful)

    by geekmux ( 1040042 ) on Friday May 06, 2022 @10:57AM (#62509450)

    "The programmer in charge for the transfer accidentally copied and pasted the hash number, rather than the wallet address."

    Hashes and wallet addresses are the exact same length, and offer zero validation checks within systems?

    That's not an error. That's an absolute shit design that could have prevented a $36 million dollar "oops".

    • by Paxtez ( 948813 )

      Even if there is a technical reason why the hashes and wallets need to be the same length/format (which I don't think there is), it seems like a simple check to the chain "Hey, the Target Wallet does not currently exist in the blockchain, are you sure you wish to transfer?" would have prevented this.

    • Re:Shit Design. (Score:4, Interesting)

      by RobinH ( 124750 ) on Friday May 06, 2022 @11:50AM (#62509672) Homepage
      It's always painful to watch the next generation make all the same mistakes the previous generations made. There's entire shelves at the bookstore devoted to good UI/UX design. Entire industries (like automotive manufacturing) are built around the ideas of error proofing. This shouldn't happen, but as long as startup companies decide they can't afford older more experienced engineers, and only want to hire the twenty-somethings that just came out of university because they can pay them in stock options, pizza and Red Bull and get them to work 80 hour weeks, this will continue to happen. This is an obvious failure mode of the system, and should have been considered and protected against from day one.
      • Older, experienced engineers aren't interested in working on ridiculous crypto currencies. We're interested in how we are going to minimize our personal suffering when the music ends and retail investors have lost their life savings in crypto.
        • by RobinH ( 124750 )
          I'm old and experienced, and even willing, but they'd have to pay me hourly with overtime like I'm making now, so they're not going to go for that. Can't have the old timer setting a bad example for the young kids.
    • That's not an error. That's an absolute shit design

      Define "shit design". I think the whole point of wallet addresses is that they aren't predictable and mathematically either random or generated from a passphrase. It's shit usability, but it was entirely by design for the purposes of security. Crypto morons are finding security also means protecting people from correcting mistakes.

      • It's shit design, as in an utter failure to design and validate inputs. No way in hell should a system like that be able to mistake a hash for a wallet address. One field could have been one character longer or shorter, and with proper validation would have rejected the bad/wrong input. And with a one-character modification, crypto could still retain all of the obfuscation they were selling before with addresses.

        I don't care if you're making a banking app or a wordcross game. Humans making mistakes isn'

    • We knew that it was *shit* by the developer who “copy&wasted” $36M crypto transfer instruction.

      What Dev would ever do that? At the crypto-level? It’s a story. An unbelievable one

  • by oldgraybeard ( 2939809 ) on Friday May 06, 2022 @10:58AM (#62509458)
    If technically skilled individuals can make an error like this. How can anyone who has worked with users in the IT world think "normal" users could ever use these products?
  • Or just another of the continuing string of multi million dollar crypto thefts? Or should I say inadvertent redirections. sic sic lol
  • by flug ( 589009 ) on Friday May 06, 2022 @11:02AM (#62509478)

    Another good example of why "Code is Law" is just plain dumb.

    It's an attempt by people who don't like dealing with people to just somehow factor people right out of the system.

    But currency is fundamentally about relationships people have with other people. Payments, debts, and all the rest don't make any sense if you somehow remove the people you are paying, the people who are paying you, the people who owe you a debt, the people you owe a debt, and all the rest from the system.

    The PEOPLE are literally what it is all about. You can remove them entirely but then the entire system is pointless.

    Every flaw in crypto revolves around #1. Flaws or bugs in the code. Which is basically an insoluble problem, because you just can't design a complex system in such a way that it doesn't have unexpected flaws. #2. The place where the system inevitably must interface with actual people. This is where things like the 51% attack come into play.

    "Code is Law" is just plain dumb.

    • by JcMorin ( 930466 )
      The code is law is indeed stupid, but having a protocol that allow to paste wrong stuff and still make it valid, broadcast, mined and process in the blockchain is just stupid wrong. * Address should have some form of "validator" (start with a letter and a checksum or something. * The another problem specific to ETH and those super complex crypto is that they allow very complex code. While this should smart at first it's dead trap for nasty flaw contract that only a few individual on earth can be 100% sure
  • Such errors can normally be prevented with good UI on the App side. Kinda like how my bank will prompt for a 2FA code and show multiple review/confirmation screens, before sending a transfer
  • Many functional languages use immutable data structures. They can still be used to convey the meaning that the programmer desires.

    Just being an immutable structure should not prevent adding a new transaction that effectively amends a previous transaction. The developer clearly has some god-like powers to direct transfers, so apparently not all access to this blockchain is equal

  • Safer than banks alright, where do I sign up?

    • No need to sign up. Your local elected representatives are scrambling to join in on the fun using YOUR money.

  • test send? (Score:4, Interesting)

    by mrbudman ( 882109 ) on Friday May 06, 2022 @11:12AM (#62509514)
    Ok maybe I am the idiot.. But when I am going to send money to someone I had not sent money before through even normal current channels, zelle, venmo, etc. I do a test send of smaller amount to actually make sure the funds are going to the correct place. If I was going to send 36 million and had never actually sent money to that address before. Wouldn't it make sense to send a much smaller amount as a test?
  • "And nothing of value was lost" .

  • I can't help but wonder how long it will be before that dev disappears to an undisclosed location. This excuse is MUCH better than "Hackers stole it!"
  • First, why in the hell was a developer selected/used to copy/paste anything in this case? What possible reason could be given to do this?

    Second, if this developer is this inept to a) copy/paste the wrong wallet and b) too lazy to check their work before committing, that speaks volumes about their coding abilities.

    Third, HAHA!

  • Stolen (Score:4, Funny)

    by muh_freeze_peach ( 9622152 ) on Friday May 06, 2022 @11:36AM (#62509622)
    So a group voted to steal the money from someone under the pretense that the currency was ill-gained, and accidentally set it on fire. LOL
  • by Murdoch5 ( 1563847 ) on Friday May 06, 2022 @11:40AM (#62509632) Homepage
    Why was there no validation if the sequence was a wallet or hash? It seems basic to preform a quick check against the "address" given to the system.
  • Seems totally reasonable. /s

  • "One of the key selling points of the blockchain is that it's immutable"

    Bank records are (supposedly) immutable as well. Banks don't reverse a transaction by erasing it from their journals; instead, they add an entry that undoes the original entry. The same could be done on a blockchain, except...

    No single entity holds the keys to all the wallets. This is the *real* distinction between banks and the blockchain. Banks can take your money if the government tells them to do so. Nobody can take your bitcoin, because you are (hopefully) the sole holder of the key to your wallet.

  • The programmer in charge for the transfer accidentally copied and pasted the hash number, rather than the wallet address.

    So is anyone suing this programmer and/or his employer? Or is "the community" not a legal entity? If there's no organisation responsible then presumably the returns are just too low to be worth it, because what programmer is worth $36 million? Or maybe there are jurisdictional issues (responsible parties don't reside in a convenient country).

    Something to think about before working in crypto. I can't imagine that liability insurance for this kind of screw-up is affordable.

...there can be no public or private virtue unless the foundation of action is the practice of truth. - George Jacob Holyoake

Working...