Wednesday, October 5, 2022
HomeCrypto NewsMarketHacker Revealed A Coinbase Bug That Allowed Him To Buy 50 Bitcoins...

Hacker Revealed A Coinbase Bug That Allowed Him To Buy 50 Bitcoins For 50 Shiba Inu

- Advertisement -
Follow-Us-On-Google-News

White Hat Hackers are an essential part of the crypto market and the entire online industry, often finding defects that could end companies.



Recently a hacker known as “Tree of Alpha” won a Coinbase bounty for finding and reporting a bug that could have severely harmed Coinbase.

The hacker himself told the case on his Twitter account, where he talked about how he got the “biggest bug bounty in history.” Tree of Alpha received a total of $250K for identifying a fatal bug.

“How a flaw in the new Advanced Trading feature would have allowed a malicious user to sell BTC or any other coin without owning them, and how Coinbase’s reaction speed on a Super Bowl Friday averted a possible crisis.”

 

Tree of Alpha stated that it was tinkering with the new advanced Coinbase trading platform to understand how orders were sent and executed. He said he placed an order on the ETH/EUR pair and noticed that the API needed a product identification, source, and recipient account.

coinbase hack 1
image source: https://twitter.com/Tree_of_Alpha/

While trying to change these IDs, he realized something was wrong and could be something potentially dangerous.

“To get a failed message, I changed the product_id to BTC-USD but did not change the two account ids (source is my ETH wallet, the target is my EUR wallet). Expecting an error because my account is not allowed to trade the BTC-USD pair, the order just … goes through.”

coinbase hack 5
image source: https://twitter.com/Tree_of_Alpha/

He could exchange these IDs for selling in an order book where he does not have the coins. He even tested with 0.0243 ETH to sell 0.243 BTC, exchanging this information in order.

“I just used 0.0243 ETH to sell 0.0243 BTC on the BTC-USD pair, a pair I do not have access to without holding any BTC. Hoping this is a UI bug, I check the fills on order, and they match the API: those trades happened on the live order book.”

coinbase hack 2
image source: https://twitter.com/Tree_of_Alpha/

In theory, he could use this bug to create orders in currencies he didn’t have in his wallets. He even carried out a second experiment using the SHIB cryptocurrency.

He sent 9 million SHIB to his Coinbase account and similarly exchanged the order information to create a sell order for 50 bitcoin using just 50 SHIB. He even asked people nearby if they could see the purchase order, and it existed.

For my last test before reporting this to make sure, I send 9M SHIB to my Coinbase account -change source account id to my SHIB account on Coinbase -put a 50 BTC limit sell order using 50 SHIB -ask people around me if they are, too, seeing it.

And quite frankly, there aren’t many things quite as sobering yet terrifying as realizing: -you just put a 50 BTC limit sell order using 50 SHIB. –everyone else can see it. Five minutes later, I was sending this initial tweet.”

coinbase hack 3
image source: https://twitter.com/Tree_of_Alpha/

Tree of Alpha said that because of community support, the Coinbase Dev team contacted him and canceled all market orders to fix the bug within three minutes.

“Thanks to an overwhelming community response including prominent faces like @cobie, @samczsun, @FEhrsam, @SecurityGuyPhil, and @vishalkgupta, I quickly get Coinbase’s attention. Barely 3 minutes after my HackerOne report was sent, I got an answer from the Dev team.

After quickly explaining the exploit and supplying proof of concept, I insist on how Coinbase needs to immediately stop all Advanced Trading, incl. And most importantly, posting orders. Less than 30 minutes later, all markets there were in cancel-only mode.”

The consequences would have been so worst and beyond imagination, if any black hat hacker had found the nug, but thanks to Tree of Alpha, he not only saved Coinbase but all the traders that are trusting Coinbase security and trading billions of dollars on it.

- Advertisement -
Mark Brennan
Mark Brennanhttps://thecryptobasic.com/
Mark Brennan has been active in the cryptocurrency sector since 2014. His love and passion for the nascent industry drove him to develop interest in writing about important developments and updates about cryptocurrencies and blockchain. Brennan, who holds a Masters degree in Business Administration, learned about the potential of blockchain technology. Aside from crypto journalism, Brennan runs an education center, where he educates people about the asset class.

LEAVE A REPLY

Please enter your comment!
Please enter your name here

- Advertisment -

Recent News & Articles

Subscribe To Our Newsletter

Get Updated with All The latest Crypto News, Articles, Reviews, Analysis and much more. Delivered Every Monday.

spot_img