NNS Disburse changes account address randomly? NNS doesnt validate account. Lost ICP

I first noticed this happen a few times 2 weeks ago when I tried to disburse ICP from spawned neurons in the NNS. For some reason a few times the account address changed to something else, but luckily I caught the error and put in the main address to sweep all the spawns into one neuron.

Today I wasn’t so lucky as i had the NNS zoomed out and didn’t really pay attention to the send address so I had not thoroughly checked the disburse to account address and 15 ICP ended up some place else

I guess from now on i’ll need to shift over to using Quill… has anyone else encountered something like this?

3 Likes

apparently no one thought to implement this in the NNS?

How to verify the checksum of an account address?

  • After hex decoding, the first 4 bytes is the big-endian CRC32 checksum of the rest of the address.
  • Call address_from_hex in the JavaScript SDK. It returns and error if checksum doesn’t match.
  • Here is a Java implementation of address validation logic.
1 Like

it’s not concerning to anyone here that people are losing funds?

Hi @superduper, we’re actively investigating the issue and will get back to you ASAP.

3 Likes

@superduper We did an investigation, and you’re absolutely right. There was no checksum verification when disbursing neurons.

We now have proposal 19515 open to address the issue on the frontend side, and there will be additional discussion to be had by the NNS team to carry similar checks on the NNS itself.

Note that this problem is specific to disbursing neurons. ICP transfers, for instance, do have checksum verification, but disbursing specifically has fallen through the cracks.

The foundation has reimbursed you for the lost funds. Thanks again and apologies for the frustration :pray:

11 Likes

cool thanks appreciate it!