Coinbase pays out largest bug bounty ever for trading interface flaw

The researcher who discovered the issue was paid $250,000.
Written by Jonathan Greig, Contributor

Coinbase paid its largest bug bounty ever on Friday, rewarding a researcher with $250,000 for discovering a flaw in the crypto platform's trading interface.

On February 11, a researcher took to Twitter to say they found a "potentially market-nuking" vulnerability that needed to be addressed as soon as possible. Coinbase said it received a report through HackerOne from the researcher that same day and worked quickly to patch the bug. 

The issue involved a specific flaw in an API for Retail Advanced Trading, and Coinbase engineers eventually were able to reproduce the bug. They disabled all new trades by placing the Retail Advanced Trading platform in cancel-only mode before validating and releasing a patch. 

The vulnerability was never used by an attacker, according to Coinbase. 

"The underlying cause of the bug was a missing logic validation check in a Retail Brokerage API endpoint, which allowed a user to submit trades to a specific order book using a mismatched source account," Coinbase explained. "This API is only utilized by our Retail Advanced Trading platform, which is currently in limited beta release."

"To give an example: A user has an account with 100 SHIB, and a second account with 0 BTC. The user submits a market order to the BTC-USD order book to sell 100 BTC, but manually edits their API request to specify their SHIB account as the source of funds. Here, the validation service would check to determine whether the source account had a sufficient balance to complete the trade, but not whether the source account matched the proposed asset for submitting the trade. As a result, a market order to sell 100 BTC on the BTC-USD order book would be entered on the Coinbase Exchange."

Coinbase claims the vulnerability could not have been scaled up to create a larger attack because "Coinbase Exchange has automatic price protection circuit breakers" and its trade surveillance team monitors markets for anomalous trading activity.

The crypto company urged other researchers to submit to their HackerOne program.

The researcher who discovered the issue, Twitter user Tree_of_Alpha, explained the exploit:

Tree_of_Alpha commended Coinbase for their quick response to the problem, and even in his original Twitter thread, Coinbase representatives responded to his warning almost immediately. Coinbase CEO Brian Armstrong thanked the researcher for catching the vulnerability.  

In October, Coinbase sent breach notification letters to thousands of users after they discovered a "third-party campaign to gain unauthorized access to the accounts of Coinbase customers and move customer funds off the Coinbase platform." 

Editorial standards