Coinbase and the story of the latest ‘market-nuking’ vulnerability
If you were a white hat hacker and you had to choose between exploiting a “potentially market-nuking” vulnerability and accepting a $250,000 bug bounty, what would you pick? This month, one white hat hacker chose the latter, leading to a big sigh of relief from the Coinbase exchange.
Saved from a coin-man
The engineer, who goes by the name “Tree of Alpha” on Twitter [@Tree_of_Alpha] shared a thread with the details of the vulnerability and how they tested the bug before reaching out to Coinbase. Tree of Alpha claimed that the vulnerability on the exchange giant’s Advanced Trading Feature might have let a less ethical hacker walk away with profits after selling Bitcoin and other coins that they didn’t even hold.
Tree of Alpha also claimed,
“I just used 0.0243 ETH to sell 0.0243 BTC on the BTC-USD pair, a pair I do not have access to, without holding any BTC.”
Next, they tried to place a 50 BTC limit sell order using 50 SHIB. When other people reportedly said they too could see this, Tree of Alpha tweeted for help to reach Coinbase’s top execs. Praising Coinbase’s reaction speed, Tree of Alpha said,
“While I sometimes have my beef with Coinbase, I am not sure I could have reached any other CEX that quickly in the same situation.”
Coinbase won’t leave you on read
The crypto exchange recorded in its own press release – dated 19 February – that the white hat hacker raised the issue on 11 February. Both parties agreed that contact was quickly made so that the bug could be identified and then patched.
Sounds like our team is in touch, thx for connecting with them, and we’ll investigate.
— Brian Armstrong – barmstrong.eth (@brian_armstrong) February 11, 2022
Tree of Alpha approached the company as part of HackerOne, Coinbase’s bug bounty platform.
Coinbase further noted that the Retail Advanced Trading platform was in limited beta release.
A not-so-heavy price?
Many users were skeptical when they found out that Coinbase’s “largest-ever bug bounty” for this discovery was a total of $250,000 only. This is key when considering that Tree of Alpha had the power to walk away with sales from BTC they didn’t even own, or sell the information to the highest bidder.
Many now might be wondering if they would make the same choice as Tree of Alpha, or if they would need a larger reward to file the report.
Coinbase’s vulnerability comes at a crucial time for crypto, as investors question if centralized exchanges can truly keep their assets safe from both hackers and government authorities.