• J Markezic and M Bacina

Critical bug in Coinbase reported and fixed

A security engineer under the user name 'Tree of Alpha' has been paid USD$250,000 as a 'bug bounty' for locating a frighteningly simple bug in the Coinbase website that, in effect, allowed users of the platform to sell cryptocurrency which they did not own.

The engineer discovered that, due to a simple flaw in the website code of a new trading feature launched by Coinbase, users could submit a trade in one cryptocurrency, but cause the trade to occur in another cryptocurrency which they did not own. A validation check that was absent from a brokerage API endpoint which permitted the instructions to be submitted. This meant, for example, a sell order for 50 Dogecoins held by a customer could have been spoofed into becoming a 50 Bitcoin sell order.

The engineer initially reported the bug to the Coinbase bounty program and resorted to Twitter to raise the alarm, calling the vulnerability as:

potentially market-nuking.

Coinbase shut the new product down in 30 minutes and responded within six hours that the vulnerability was remedied. Coinbase say the bug had not been misused previously. After responding to the vulnerability, Coinbase published an explanation as to the nature of the bug:

A user has an account with 100 SHIB, and a second account with 0 BTC. The user submits a market order to the BTC-USD order book to sell 100 BTC, but manually edits their API request to specify their SHIB account as the source of funds. Here, the validation service would check to determine whether the source account had a sufficient balance to complete the trade, but not whether the source account matched the proposed asset for submitting the trade. As a result, a market order to sell 100 BTC on the BTC-USD order book would be entered on the Coinbase Exchange.

This highlights the distinction between 'white hat' and 'black hat' hackers. Traditionally, the public are taught when hearing about 'hackers' - to picture a criminal behind a laptop in a dark room: the so-called 'black hat' hacker who breaks into computer networks with malicious intent and are driven by self-serving, often economic, motivations.

On the other hand, however, exists another form of hacker - the 'white hat' hacker. These hackers seek to exploit computer systems to identify security flaws so that they can be fixed.

Of course, when talking about absolutes like 'black' and 'white,' it would be difficult to overlook the middle ground - the 'grey hat' hacker. These are hackers that act somewhere in the middle of 'black' and 'white' hacking. Oftentimes, they will exploit vulnerabilities without the permission of the platform owner in order to gain publicity and attract a fee.

Most bug bounties are, however, publicly offered so as to attract white hat hackers to test and challenge code, with a known reward if they succeed, and are popular in many blockchain and DeFi projects.