DEFI

Harmony contractor reports $2.2 million ONE token minting bug, accused of theft by team members

2024/1/16

DLNews reported that Aaron Li, one of the part-time contractors for the L1 public chain Harmony ONE, revealed that the project accidentally minted 150 million ONE tokens worth approximately $2.2 million due to a bug one month ago. In response, team member Casey Gardiner accused him of not reporting the bug in a timely manner and maliciously selling the tokens.

Table of Contents

Harmony Protocol Token ONE Over-minted by Over 150 Million

Reports indicate that Aaron Li, one of Harmony's part-time contractors, published an article on Twitter under the handle X regarding the over-minting of the protocol token ONE, stating that he reported the incident with good intentions but was accused of theft.

A bug paid me $100k per day on Harmony blockchain. But it could wipe out everyone and destroy $200M. I did the right thing, but was accused of stealing and "banned" from @EthereumDenver and @ethereum. Here is the story behind and how we averted a disasterhttps://t.co/GCdVgGPsID
— Aaron Li (@polymorpher) December 21, 2023

The article explains that a significant flaw in the Harmony protocol led to the loss of hundreds of thousands of dollars daily. Developer Aaron Li discovered and reported the flaw, but was allegedly ignored by Chief Engineer Casey Gardiner:

The developer intercepted nearly a million dollars within days, reported it voluntarily, helped fill the financial gap, analyzed and fixed the bug, but was accused of theft by the Chief Engineer. He claimed to ban the developer from participating in any ETHDenver and other events organized by the Ethereum Foundation.

How Did the Flaw Occur?

According to Aaron's article, the flaw was attributed to a design issue in the consensus mechanism POS of the Harmony protocol itself, affecting and causing damage to the staking contract:

When users attempted to withdraw staked assets, they erroneously received a large amount of the protocol's native token ONE at each Epoch, impacting the token's value negatively and potentially rendering it worthless.

Note: An Epoch is a unit of time in the Harmony protocol used to measure block generation cycles and maintain overall network synchronization, equivalent to 1 day.

Aaron stated that he discovered and reported the flaw on December 7, noting that the error minted up to 150 million ONE tokens valued at approximately $2.2 million, which were sent to 79 accounts, including his own, with most tokens already sold or transferred by the recipients.

Internal Team Members Blame Each Other

Aside from the absurd incident of over-minting a significant amount of tokens, the dispute between contractor and bug discoverer Aaron and Chief Engineer Casey has also caught the community's attention.

Aaron: Casey Delayed Handling the Issue, Causing Greater Losses

Chief Engineer Casey Gardiner posted on the governance forum regarding the "technical incident report on staking logic vulnerability and exploitation," claiming that Harmony employees conducted a preliminary investigation in the days following the discovery of the flaw on December 7.

In response, Aaron refuted Casey's claims of lying, stating that Casey had delayed addressing the flaw multiple times initially, leading to increased losses.

Aaron wrote in the article: "This is the third time I have brought this up to Casey."

Had we acted within the first 5 days, we could have mitigated 60% to 70% of the impact caused by the flaw.

Casey: Aaron Deliberately Concealed the Flaw to Sell Excess Tokens

On the other hand, Casey accused Aaron of intentionally concealing information about the flaw and delaying its fix, further alleging that he sold 16.4 million erroneously minted ONE tokens, worth over $260,000:

Aaron sold a portion of the erroneously minted ONE tokens for profit before the flaw was resolved, and he didn't even tell us the truth initially.

Casey added, "Aaron's selling behavior can be considered theft, and it wasn't until we started investigating that he admitted to receiving funds or selling tokens."

In response, Aaron emphasized that the tokens he sold between December 8 and 10 were already in his possession and criticized Casey for shifting the focus:

I believe this does not affect the severity of the flaw because the resolution of the bug is unrelated to whether I sold tokens or not.

To date, despite the bug being fixed, the controversy remains unresolved, and the relationship between Harmony's developers and the community may face trust issues.

TVL Drops from Billions to a Few Million Dollars, Former Employees and Developers Expose Harmony's Downfall Secrets