Coinbase, one of the world’s leading cryptocurrency exchange platforms, has paid a hacker known on Twitter as Tree of Alpha for discovering a critically vulnerable point that could be exploited by criminals and potentially hurt the platform and the entire crypto space.
According to Tree of Alpha, users could easily sell 50 SHIB value at about $0.001 for 50 BTC without actually owing anything and it will be executed via Coinbase order books as an actual trade.
Luckily for Coinbase, Tree of Alpha contacted the company development team before any damage is done to the platform and asked that all Advanced Trading and, most importantly, order posting be immediately stopped.
On Saturday, Coinbase announced that the deficit had been closed without any damage to customers’ assets. The company lauded Tree of Alpha for his effort and as a result, the exchange paid him a bug bounty of $250,000 for his discovery. This could have also potentially helped crypto users with the security of their assets on various platforms.
Responding to questions on how he thinks the issue went on noticed, the White hat hacker said “This is a hard one: I do not know. When writing tests for an API that accepts a source account, a target account, and a product ID, the first thing I would make sure of is that the person indeed has more than “QTY” in the account. Coinbase had that part.
“The second is making sure that, for a sale on “BTC-USD” product for example, “source account” is a “BTC” account and “target account” is a “USD” account. That part was missing, and any guess from me as to why would be speculation.
“While every developer knows best practices at least vaguely, the harsh truth is a lot of shortcuts are taken to save time. If Tesla, a $890 billion company, tests payment integrations on live environment, that should tell you enough about the others.”
Asked if he can quantify the potential damage if it was exploited, he said “no, that is up to very specific Coinbase internals.
“The highest reward with the least chance of being discovered would have been, in my opinion, putting up huge BTC sell walls very close to the last traded price in order to send the market in a panic. A very small fraction would have actually filled as the narrative would have spread, and a bad actor could have profited handsomely from the ensuing chaos by shorting on other exchanges.
“All in all with this exploit, I believe most of the damage would have been on the market itself, and not as much on Coinbase customer holdings. The risk system would have kicked in, stopping all withdrawals and Coinbase could have done an internal rollback after the blow.”