Bug in Coinbase allows you to trade 50 Bitcoin for 50 Shiba3 min read
White Hat Hackers are an essential part of the crypto market and the entire online industry, often finding defects that could end companies.
Recently a hacker known as “Tree of Alpha” won a Coinbase bounty for finding and reporting a bug that could have severely harmed Coinbase.
The hacker himself told the case on his Twitter account, where he talked about how he got the “biggest bug bounty in history.” Tree of Alpha received a total of $250K for identifying a fatal bug.
“How a flaw in the new Advanced Trading feature would have allowed a malicious user to sell BTC or any other coin without owning them, and how Coinbase’s reaction speed on a Super Bowl Friday averted a possible crisis.”
Tree of Alpha stated that it was tinkering with the new advanced Coinbase trading platform to understand how orders were sent and executed. He said he placed an order on the ETH/EUR pair and noticed that the API needed a product identification, source, and recipient account.
While trying to change these IDs, he realized something was wrong and could be something potentially dangerous.
“To get a failed message, I changed the product_id to BTC-USD but did not change the two account ids (source is my ETH wallet, the target is my EUR wallet). Expecting an error because my account is not allowed to trade the BTC-USD pair, the order just … goes through.”
He could exchange these IDs for selling in an order book where he does not have the coins. He even tested with 0.0243 ETH to sell 0.243 BTC, exchanging this information in order.
“I just used 0.0243 ETH to sell 0.0243 BTC on the BTC-USD pair, a pair I do not have access to without holding any BTC. Hoping this is a UI bug, I check the fills on order, and they match the API: those trades happened on the live order book.”
In theory, he could use this bug to create orders in currencies he didn’t have in his wallets. He even carried out a second experiment using the SHIB cryptocurrency.
He sent 9 million SHIB to his Coinbase account and similarly exchanged the order information to create a sell order for 50 bitcoin using just 50 SHIB. He even asked people nearby if they could see the purchase order, and it existed.
“For my last test before reporting this to make sure, I send 9M SHIB to my Coinbase account -change source account id to my SHIB account on Coinbase -put a 50 BTC limit sell order using 50 SHIB -ask people around me if they are, too, seeing it.
And quite frankly, there aren’t many things quite as sobering yet terrifying as realizing: -you just put a 50 BTC limit sell order using 50 SHIB. –everyone else can see it. Five minutes later, I was sending this initial tweet.”
Tree of Alpha said that because of community support, the Coinbase Dev team contacted him and canceled all market orders to fix the bug within three minutes.
“Thanks to an overwhelming community response including prominent faces like @cobie, @samczsun, @FEhrsam, @SecurityGuyPhil, and @vishalkgupta, I quickly get Coinbase’s attention. Barely 3 minutes after my HackerOne report was sent, I got an answer from the Dev team.
After quickly explaining the exploit and supplying proof of concept, I insist on how Coinbase needs to immediately stop all Advanced Trading, incl. And most importantly, posting orders. Less than 30 minutes later, all markets there were in cancel-only mode.”
The consequences would have been so worst and beyond imagination, if any black hat hacker had found the nug, but thanks to Tree of Alpha, he not only saved Coinbase but all the traders that are trusting Coinbase security and trading billions of dollars on it.