Popular cryptocurrency exchange Coinbase has a white hat hacker to thank after he discovered a potential security flaw that could have resulted in devastating losses for customers.
Coinbase Could Have Been Stuck in a Rut
The security engineer who discovered the problem goes by the name Tree of Alpha. A real name is unknown at the time of writing, though this white hat hacker has ultimately garnered a bounty of about $250,000 from Coinbase due to his recent discovery. Tree of Alpha found an open window in Coinbase’s design that would have allowed someone to sell cryptocurrency that wasn’t theirs.
They could sneak into another person’s account and sell their digital assets without their knowledge or consent. The money wasn’t theirs, but they could certainly profit off the stash. All this stems down to what’s been described as a “missing logic validation check” in the retail brokerage API endpoint. This allowed users to submit trades on specific orders using source accounts that were mismatched.
The good news is that the problem has been resolved at press time and nobody appears to have been aware of the bug, which means no illicit actors have taken advantage of the open doorway. A blog post published by Coinbase describes the issue:
On February 11, 2022, we received a report from a third-party researcher indicating they had uncovered a flaw in Coinbase’s trading interface. We promptly mobilized our security incident response team to identify and patch the bug and resolved the underlying system issue without any impact to customer funds.
Describing how a hacker could have used the bug to their advantage, Coinbase writes:
A user has an account with 100 SHIB, and a second account with zero BTC. The user submits a market order to the BTC-USD order book to sell 100 BTC, but manually edits their API request to specify their SHIB account as the source of funds. Here, the validation service would check to determine whether the source account had a sufficient balance to complete the trade, but not whether the source account matched the proposed asset for submitting the trade. As a result, a market order to sell 100 BTC on the BTC-USD order book would be entered on the Coinbase exchange.
On social media, Tree of Alpha wrote the following:
Hoping this is a UI bug. I check the fills on the order, and they match the API. Those trades really happened on the live order book.
Trying to Get in Touch
Coinbase is notorious for its lack of customer service and slow response rate. Hoping to find some way of getting in touch with the right person, Tree of Alpha sent the exchange a message on Twitter explaining what he discovered.
It took about six hours for someone at Coinbase to respond. The exchange worked to see if it had been compromised, and upon learning that it hadn’t, the exchange fixed the issue and offered payment to Tree of Alpha.
Source: https://www.livebitcoinnews.com/a-coinbase-security-flaw-was-stopped-just-in-time/