More than 50% of European families have some investment in digital currency. The average European family sees crypto as a viable investment and savings option. This was discovered in several recent surveys conducted over different demographic areas. Despite the volatility of the crypto space, as recent events highlight, it has seen a continuous rise in new investors. More people are committing to crypto investments and many of them are taking steps to buy into the growing market. The flurry…
- Major crypto exchange Coinbase has resolved a serious vulnerability in its trading interface.
- The discovered glitch could have caused the exchange to lose hundreds of millions of dollars.
- Security researcher “Tree of Alpha” discovered the lethal bug and reported it via Coinbase’s bug bounty program
- Coinbase assures that the bug was not maliciously exploited before its response team patched it.
How the Bug Worked
It began with a report from an ethical hacker, filed to Coinbase’s security team on the 11th of February, 2022. The report came a week before Coinbase officially acknowledged exposure to a possible attack.
The white-hat hacker (with the moniker Tree of Alpha) revealed in an expansive Twitter thread on Saturday how exactly they discovered the bug. The researcher said they stumbled on a flaw while probing the UI of Coinbase’s new Advance Trading Feature. After making a few transactions and editing ids of elements in the API, Tree of Alpha quickly discovered that there was a logic error with Coinbase’s new feature. An oversight significant enough to cause million-dollar losses.
Tree of Alpha Investigation
According to Tree of Alpha, their probe for a bug began with investigating details sent to the API when completing transactions. After recognizing the required ids, the Tree of Alpha fiddled with some of the values.
I decided to poke around the new Advanced Trading platform to find out how orders are sent[…]I put an ETH-EUR order from the UI, and grabbed the request that was sent. I noticed the API needs product, source and target account ids.”
Tree of Alpha’s tweaks should have forced an impossible transaction and return an error. They did not.
In order to get a failed message,” they said. “I changed the product_id to BTC-USD, but did not change the two account ids (source is my ETH wallet, target is my EUR wallet). Expecting an error because my account is not allowed to trade the BTC-USD pair, the order just … goes through.”
Tree of Alpha executed similar orders a couple more times, this time using 50 SHIB coins to execute a successful transfer of 50 BTC. In context, 50 SHIB equals $0.0014, at writing. 50 Bitcoins, on the other hand, is roughly equivalent to $2 million. A malicious attacker could decide to manually edit their API when using a SHIB account. And, while submitting market orders to sell 100 BTC every minute, they could create limitless losses.
In summary, the ramification of the bug is that users can enter trades on assets with no existing balance. By manually switching the source account on an API request to another with some crypto holdings, a user could book orders for higher valued cryptocurrencies while using lesser ones.
Concerned about the leak ending up in the wrong hands, the hacker promptly sought contact with Coinbase’s response team. Tree of Alpha was referred by Twitter users to file a vulnerability report via Coinbase’s bug bounty program on Hackerone. This happened an hour before researcher Tree of Alpha was successfully able to get CEO Brian Amstrong’s attention.
.@Tree_of_Alpha you're awesome – a big thank you for working with our team
love how the crypto community helps each other out!
— Brian Armstrong – barmstrong.eth (@brian_armstrong) February 11, 2022
Coinbase’s security response team addressed the hacker’s complaint within a few minutes of the report. The team then performed checks on other user interfaces to see if the hacker affected any of them. Coinbase said it found no other inconsistencies.
According to Coinbase, if a malicious attacker would have seized the bug before its patch, the damages would have been smaller.
There were mitigating factors that would have limited the impact of this flaw had it been exploited at scale,” reads Coinbase report.
The exchange claims measures like automatic price protection circuit breakers and a surveillance team that oversees abnormal trading activity would have reduced damages.
Tree of Alpha was awarded a bounty of $250,000, in what is Coinbase’s largest bounty payout to date.