Coinbase pays out largest bug bounty ever for trading interface flaw
Coinbase paid its largest bug bounty ever on Friday, rewarding a researcher with $250,000 for discovering a flaw in the crypto platform's trading interface.
On February 11, a researcher took to Twitter to say they found a "potentially market-nuking" vulnerability that needed to be addressed as soon as possible. Coinbase said it received a report through HackerOne from the researcher that same day and worked quickly to patch the bug.
ZDNET Recommends
The issue involved a specific flaw in an API for Retail Advanced Trading, and Coinbase engineers eventually were able to reproduce the bug. They disabled all new trades by placing the Retail Advanced Trading platform in cancel-only mode before validating and releasing a patch.
The vulnerability was never used by an attacker, according to Coinbase.
"The underlying cause of the bug was a missing logic validation check in a Retail Brokerage API endpoint, which allowed a user to submit trades to a specific order book using a mismatched source account," Coinbase explained. "This API is only utilized by our Retail Advanced Trading platform, which is currently in limited beta release."
"To give an example: A user has an account with 100 SHIB, and a second account with 0 BTC. The user submits a market order to the BTC-USD order book to sell 100 BTC, but manually edits their API request to specify their SHIB account as the source of funds. Here, the validation service would check to determine whether the source account had a sufficient balance to complete the trade, but not whether the source account matched the proposed asset for submitting the trade. As a result, a market order to sell 100 BTC on the BTC-USD order book would be entered on the Coinbase Exchange."
Coinbase claims the vulnerability could not have been scaled up to create a larger attack because "Coinbase Exchange has automatic price protection circuit breakers" and its trade surveillance team monitors markets for anomalous trading activity.
The crypto company urged other researchers to submit to their HackerOne program.
The researcher who discovered the issue, Twitter user Tree_of_Alpha, explained the exploit:
Coinbase's "largest-ever bug bounty"
— Tree of Alpha (@Tree_of_Alpha) February 19, 2022
How a flaw in the new Advanced Trading feature would have allowed a malicious user to sell BTC or any other coin without owning them, and how Coinbase's reaction speed on a Super Bowl Friday averted a possible crisis.
Bounty: $250,000 pic.twitter.com/Y91M48pCcI
For a malicious user, a few attack vectors included:
— Tree of Alpha (@Tree_of_Alpha) February 19, 2022
-shorting on ftx/binance and flashing big limit sells (>100k btc) to make the market freak out.
-actually executing a constant selling pressure by using 50 SHIB to sell 50 BTC every minute.
-trying to withdraw the proceeds.
Tree_of_Alpha commended Coinbase for their quick response to the problem, and even in his original Twitter thread, Coinbase representatives responded to his warning almost immediately. Coinbase CEO Brian Armstrong thanked the researcher for catching the vulnerability.
In October, Coinbase sent breach notification letters to thousands of users after they discovered a "third-party campaign to gain unauthorized access to the accounts of Coinbase customers and move customer funds off the Coinbase platform."