ASK KNOX
beta
LESSON 272

Screenshot as Forensic Evidence

When a wallet screenshot beats an RPC call. The Hermes wallet mismatch resolved in 30 seconds once the user sent a Metamask screenshot showing the funded address. Why visual evidence from trusted UIs short-circuits hours of code spelunking — and when to ask for it.

6 min read

The Hermes debugging thread had burned 40 minutes when Knox asked for a screenshot.

"Can you send me a picture of Metamask showing the funded wallet address?"

Thirty seconds later, the screenshot arrived. The address in the screenshot was 0xCF56...0aD. The address Hermes had logged as its wallet at startup was 0x081c...0115. Two addresses that did not match. Bug diagnosed. The remaining work was just rotating the Doppler key to the correct private key.

Every RPC call before that screenshot had been telling Hermes what Hermes's own code was asking to see. None of them could break out of the bot's worldview because they were running inside the bot's worldview. The screenshot was evidence from outside.

When to Ask for a Screenshot

The technique is useful under a specific condition: you suspect the bot's own observations are unreliable. This happens when:

  • The bot is logging "zero" but the user says "it should be funded."
  • The bot is claiming a config value the operator does not recognize.
  • The bot's checksums or hashes do not match expected values.
  • The bot and an external system report different facts about the same thing.

In each of these cases, running more queries from inside the bot is recursive. You need an observer outside the bot's failure mode — ideally, a human in front of a UI the bot cannot influence.

What to Ask For

A good diagnostic screenshot includes:

  1. The claim you are checking — the balance, the address, the config value.
  2. Enough metadata to identify it — network label, asset name, wallet label, timestamp.
  3. The UI chrome — so you can see this is from Metamask or Polygonscan or the exchange dashboard, not a screenshot of a screenshot.

Bad screenshot: a zoomed-in number with no context. Good screenshot: Metamask open on Polygon network showing "Wallet 1" with address 0xCF56...0aD and "USDC.e 14.99" visible.

Inline Diagram — The Detour Around Corrupted Observation

SCREENSHOT AS INDEPENDENT EVIDENCE SOURCEBOT CODE PATHSqueries run inside the bot'sown configurationbalance = 0 (wrong wallet queried)every query confirms the wrong answerSCREENSHOTHUMAN + TRUSTED UIMetamask viewing the actualfunded wallet directly0xCF56…0aD → $14.99ground truth outside bot's worldview

The Asymmetry

Thirty seconds of human effort (take screenshot, send) replaced an hour of code archeology. That asymmetry is typical. Humans with eyes on a trusted UI are an enormous resource during debugging — one that automation-first engineers systematically underuse. When the bot is corrupted in its observations, the cheapest external observer is the human who already has the UI open.

The Rule

Screenshots from trusted UIs are first-class debugging evidence. Ask for them when the bot's own observations are suspect. Specify the metadata you need. Treat the screenshot as the ground truth that every automated source must be reconciled against. The Hermes wallet bug was solved by a picture, not by code.