tl;dr Summary: Coinbase awards their largest bug bounty yet of $250,000 for an infinite money printing bug.
The term “hacker” normally carries a negative connotation. Hackers are often synonymous with cyber criminals who use their expert-level proficiency in information technology and computer programming with malicious intent. However, not all hackers are looking to steal your hard earned money. Cybersecurity researchers and penetration testers are examples of hackers that use their ability for good. Software companies often offer thousands of dollars in bounty reward payments to such hackers who find errors or bugs in their software which could be exploited by a malicious user.
One such bug bounty reward was given to a software engineer and trader known on twitter as Tree_of_Alpha. Coinbase, largest cryptocurrency exchange in the United States by trading volume, recently awarded the researcher $250,000 for finding a bug which could have been exploited to print infinite sums of money and wreak havoc to the cryptocurrency market.
Coinbase recently launched an Advanced Trade option on their platform which gives users advanced tools for trading cryptocurrency. This new feature allows Coinbase users to make limit orders, stop-loss orders, and even stake cryptocurrencies like Ethereum and Tezos. Before fully releasing this feature to the public, Coinbase had released a beta version to a limited number of users for testing. The cybersecurity researcher who found the bug was initially trying to understand how orders were sent on this feature and what a successful order looked like. The user did this by examining the Application Programming Interface (API), which is the software that connects Coinbase’s platform with a cryptocurrency orderbook, an electronic list of an asset’s buy and sell activity.
The user identified that for a successful trade order to be submitted the API requires a product ID for the asset being bought or sold (e.g. BTC-USD, ETH-USD, etc.) and the wallet addresses of both parties in the trade. In order to test their hypothesis, the user created two crypto wallets:
one containing Ethereum (ETH) and one containing Euros (EUR). The user then created an order from the wallet to sell 0.0234 ETH to the wallet containing EUR. Before submitting, the user modified the product ID in the API from “ETH-EUR” to “BTC-USD”. The user expected to see an error message since neither wallet had any Bitcoin. However, the order went through and they had successfully used 0.0234 ETH (~$60) to sell 0.0234 BTC (~$890).
The user tested this bug again using a different cryptocurrency. This time they were able to use 50 SHIB, worth about 1/10th of a penny, to create a 50 BTC limit-sell order by simply changing the product ID in the API code from “SHIB-USD” to “BTC-USD”. After verifying that this sell order was live on Coinbase’s platform the user immediately submitted a report to HackerOne.com, a bug bounty platform that connects businesses with penetration testers and cybersecurity researchers. Coinbase promptly responded to the report, paused trading on their Advanced Trade platform and resolved the bug in about 4 hours.
Hypothetically, had this been a malicious hacker who found the bug, a limit-sell order could be created using 50 SHIB (~$0.001) with a sale price of $50,000. The product ID could then be manipulated to display a limit-sell order of 50 BTC for $50,000. A buyer would then come along fully believing they had bought $1.9 million worth of Bitcoin for just $50,000. The hacker could then withdraw their profits from their Coinbase account into their bank account, essentially creating money out of thin air.
To Coinbase’s credit, they likely would have been able to mitigate the damage this bug would have caused. In their retrospective analysis, Coinbase noted:
“There were mitigating factors that would have limited the impact of this flaw had it been exploited at scale. For example, Coinbase Exchange has automatic price protection circuit breakers, and our trade surveillance team continuously monitors our markets for health and anomalous trading activity.”
Luckily Coinbase users never have to worry about this possibility because a hacker with good intentions was able to spot the problem and contact the right people to get the bug resolved quickly.
