This article is more than nine months old

Inside the Harmony spat over a bug that created $2.2m in tokens

Inside the Harmony spat over a bug that created $2.2m in tokens
People & Culture
Harmony contributor Aaron Li and Harmony software engineer Casey Gardiner give conflicting accounts. Credit: Andrés Tapia
  • A pair of Harmony contributors — an employee and a consultant — give conflicting accounts about a bug that mistakenly created millions in tokens.
  • While the bug has been fixed, the dispute has yet to be resolved.

A public spat has played out online over a software bug that caused the Harmony blockchain to mistakenly mint millions of dollars worth of the network’s tokens.

Most of the tokens were promptly sold or transferred by their anonymous recipients, increasing the supply of circulating tokens.

But the dispute began with one recipient: Aaron Li, a Harmony consultant who first reported the bug.

Li and Harmony software engineer Casey Gardiner gave conflicting accounts of the events surrounding attempts to fix an “infinite mint” bug and manage its impact on Harmony.

The bug could have devalued Harmony’s native ONE token to the point of worthlessness, Li wrote on X, formerly known as Twitter.

The issue spotlights a challenge developers face addressing critical issues in crypto, when employees are also users, and when users are also investors. It’s also the latest controversy for a project whose founders have faced reports of mismanagement.

The bug

Harmony’s native token is ONE. There are about 12.3 billion ONE in circulation, worth about $191 million at Tuesday’s prices.

Like other blockchains that run on proof-of-stake technology, including Ethereum and Solana, Harmony’s security relies on users willing to lock up, or stake, its native token in exchange for modest annual yields.

Join the community to get our latest stories and updates

The bug impaired Harmony’s staking contract.

When a user opted to withdraw staked ONE, they received their stake several days later, along with an equal number of ONE at every subsequent “epoch” — a unit that is equivalent to about 32,000 blocks of transactions, about one day.

In a report published last month, Li said he discovered and reported the bug on December 7, adding that it had credited 79 accounts, including his own, with erroneously minted ONE.

According to his estimate, those accounts ultimately received almost 150 million ONE, worth $2.2 million at Tuesday’s prices.

After working to find and fix the bug, Li and Gardiner have since traded accusations on social media of impropriety.

Gardiner has accused Li of withholding information about the severity of the bug and delaying its fix, while receiving and selling some of the erroneously minted ONE.

Li, in turn, has defended the sale, and accused Gardiner of slow-walking the fix and compounding the problem.

Finding a fix

After Li reported the bug, Harmony employees conducted initial investigations on December 7, according to an incident report Gardiner published on Harmony’s governance forum.

In subsequent days, they struggled to replicate the issue amid limited information, Gardiner wrote.

Li disputes this.

“Nothing was really done in the first five days,” he told DL News. “We could have reduced about 60% to 70% of the problem.”

Alarmed, Li said he decided to look into the issue himself and on December 12 found a temporary solution, he wrote in his own report.

“When I brought it up the third time, he did look into it,” Li said.

Two days later, they had settled on a fix, according to Li.

‘I didn’t profit’

Li said he had received more than 51 million erroneously minted ONE. Between December 8 and 10, he sold 16.4 million, worth more than $260,000 at the time.

“He told us about the bug and reported it when he noticed his double payment, but he didn’t disclose that he was receiving funds or selling tokens until much later,” Gardiner told DL News.

“He didn’t lie, but he wasn’t straightforward with us at first, and it took us investigating and researching the wallets to tell us he was getting funds and selling.”

Li said he never hid the fact he had received and sold tokens as a result of the bug.

“The information is not relevant to determining what the bug was, when, how, and where it happened, who was impacted, and how bad it was,” Li said.

Furthermore, he was entitled to the 16.4 million ONE he sold, he said; he held more than 17 million ONE in other wallets and planned to destroy 51 million, so that his sale wouldn’t inflate the token’s circulating supply.

“I didn’t profit from this,” he told DL News. “What I do with the amount of tokens that I already own prior to the bug is my private affair.”

Whether Li profited is beside the point, according to Gardiner. Selling the tokens was wrong, even if Li could set things right after the fact, Gardiner said.

“If the bank accidentally deposited money into my account and I quickly spent it, you would be correct [in saying] that the money I had previously would be used to settle the incorrect deposit,” he said. “Does that make my action moral?”

Furthermore, Li has yet to destroy all the excess tokens as promised, Gardiner said. Li acknowledged that he still holds erroneously minted tokens worth more than $100,000.

But he defended the delay, arguing that he has seen little effort to recover the excess tokens received by other Harmony users.

“Accordingly, I do not have a timeline for burning the remaining amount, and I reserve my full and sole discretion in deciding what to do with the remaining amount,” he said.

“It is also worth mentioning that Harmony has not been billed for any work or effort in connection with discovering or fixing the bug.

If they were to be billed based on typical hourly or project fees I charge via my firm, the amount on the invoice would far exceed the value of the remaining amount.”

Gardiner said Harmony has “identified potential wallets involved with the bug and attempted to reach out in hopes of successfully burning the improper minted funds.”

The FBI and ETH Denver

The fight has spread beyond duelling reports and posts on social media.

According to Li, Gardiner claimed to have filed reports about his behaviour with the FBI and IRS, and told Li he would be barred from ETH Denver, the premier developer-focused Ethereum event in the US.

Gardiner is a member of the event’s board of stewards.

Li said he would like “clarity” regarding the reports before destroying the remaining tokens.

Gardiner declined to comment on the allegation beyond telling DL News he “filed reports and [has] blacklisted [Li] based on his moral grounds from attending ETHDenver.”

In addition to pursuit of others who profited from the bug, Li wants Harmony to begin paying bug bounties to encourage others to scour its code for critical issues.

“Other blockchains, [people who find] this kind of bug generally are given millions of dollars in bounty,” Li said. “I’m not expecting that. What I hope in the end is just [that] they do the right thing to make the product better and set a good example.”

Clarification: This story was updated on January 19 to clarify that Aaron Li is a consultant to Harmony. A previous version of this story referred to Li as a part-time contractor.

Update on January 19: After publication of this story, Aaron Li in an email said he destroyed the remaining tokens he received through Harmony’s “infinite mint” bug. “Some founder friends whom I respect asked me to do a kind thing,” he wrote. “I agreed. After all, this is the right thing to do.”

Aleks Gilbert is a DeFi Correspondent based in New York. Have tips? Send him an email at aleks@dlnews.com.