- Major crypto exchange Coinbase has resolved a serious vulnerability in its trading interface.
- The discovered glitch could have caused the exchange to lose hundreds of millions of dollars.
- Security researcher “Tree of Alpha” discovered the lethal bug and reported it via Coinbase’s bug bounty program
- Coinbase assures that the bug was not maliciously exploited before its response team patched it.
How the Bug Worked
It began with a report from an ethical hacker, filed to Coinbase’s security team on the 11th of February, 2022. The report came a week before Coinbase officially acknowledged it had indeed been exposed to a possible attack.
The white-hat hacker (with the monicker Tree of Alpha) revealed in an expansive Twitter thread on Saturday how exactly they discovered the bug. The researcher said they stumbled on a flaw while probing the UI of Coinbase’s new Advance Trading Feature. After making a few transactions and editing ids of elements in the API, Tree of Alpha quickly discovered that there was a logic error with Coinbase’s new feature. An oversight significant enough to cause million-dollar losses.
According to Tree of Alpha, their probe for a bug began with investigating details sent to the API when completing transactions. After recognizing the required ids, the Tree of Alpha fiddled with some of the values.
I decided to poke around the new Advanced Trading platform to find out how orders are sent…I put an ETH-EUR order from the UI, and grabbed the request that was sent. I noticed the API needs product, source and target account ids.”
Tree of Alpha’s tweaks were supposed to force an impossible transaction and return an error. They did not.
In order to get a failed message,” they said. “I changed the product_id to BTC-USD, but did not change the two account ids (source is my ETH wallet, target is my EUR wallet). Expecting an error because my account is not allowed to trade the BTC-USD pair, the order just … goes through.”
Tree of Alpha executed similar orders a couple more times, this time using 50 SHIB coins to execute a successful transfer of 50 BTC. In context, 50 SHIB equals $0.0014, at writing. 50 Bitcoins, on the other hand, is roughly equivalent to $2 million. Using a SHIB account, should a malicious attacker decide to manually edit their API, while submitting market orders to sell 100 BTC every minute, there are no limits to possible losses that could be incurred.
In summary, the ramification of the bug is that users can enter trades on assets with no existing balance. By manually switching the source account on an API request to another with some crypto holdings, a user could book orders for higher valued cryptocurrencies while using lesser ones.
Concerned about the leak ending up in the wrong hands, the hacker promptly sought contact with Coinbase’s response team. Tree of Alpha was referred by Twitter users to file a vulnerability report via Coinbase’s bug bounty program on Hackerone. This happened an hour before researcher Tree of Alpha was successfully able to get CEO Brian Amstrong’s attention.
.@Tree_of_Alpha you’re awesome – a big thank you for working with our team
love how the crypto community helps each other out!
— Brian Armstrong – barmstrong.eth (@brian_armstrong) February 11, 2022
Coinbase’s security response team addressed the hacker’s complaint within a few minutes of the report. The team then performed checks on other user interfaces to see if any were affected. Coinbase said it found no other inconsistencies.
According to Coinbase, had a malicious attacker seized the bug before its patch, the damages would have been limited in effect.
There were mitigating factors that would have limited the impact of this flaw had it been exploited at scale,” reads Coinbase report.
The exchange claims measures like automatic price protection circuit breakers and a surveillance team that oversees abnormal trading activity would have reduced damages.
Tree of Alpha was awarded a bounty of $250,000, in what is Coinbase’s largest bounty payout to date.