A pseudonymous white-hat hacker, identified on Twitter as Tree of Alpha, has narrated how he was able to win Coinbase’s largest-ever bug bounty ($250,000), after exposing a bug that could have allowed any malicious user to break the platform in minutes.
The white-hat hacker narrated how he was able to place an order of 50 BTC ($1,937,475 at press time) for as low as 50 SHIB ($0.0012525 at press time).
Tree of Alpha tweeted, “Coinbase’s “largest-ever bug bounty” How a flaw in the new Advanced Trading feature would have allowed a malicious user to sell BTC or any other coin without owning them, and how Coinbase’s reaction speed on a Super Bowl Friday averted a possible crisis. Bounty: $250,000.”
Coinbase's "largest-ever bug bounty"
How a flaw in the new Advanced Trading feature would have allowed a malicious user to sell BTC or any other coin without owning them, and how Coinbase's reaction speed on a Super Bowl Friday averted a possible crisis.
Bounty: $250,000 pic.twitter.com/Y91M48pCcI
— Tree of Alpha (@Tree_of_Alpha) February 19, 2022
Tree of Alpha Narrates
Tree of Alpha narrated that he decided to poke around Coinbase to find out how orders are sent and what a successful order looks like.
He started by placing an ETH-EUR order from the UI and grabbed the request that was sent. He then noticed that the API needs product, source, and target account ids.
Tree of Alpha wrote, “In order to get a failed message, I changed the product_id to BTC-USD, but did not change the two account ids (source is my ETH wallet, target is my EUR wallet). Expecting an error because my account is not allowed to trade the BTC-USD pair, the order just… goes through.
“I just used 0.0243 ETH to sell 0.0243 BTC on the BTC-USD pair, a pair I do not have access to, without holding any BTC. Hoping this is a UI bug, I check the fills on the order, and they match the API: those trades really happened, on the live order book.”
Order of 50 BTC Was Successfully Placed Using 50 SHIB
In order to be sure of an existing bug that could break Coinbase, the white hat hacker said he decided to send 9 million SHIB to his Coinbase account and changed the source account ID to his SHIB account on the trading platform. He added that he also successfully placed a 50 BTC ($1,937,475) limit sell order using only 50 SHIB ($0.0012525).
The success of all his attempts prompted him to share a tweet on Feb. 11, asking the crypto community of Coinbase CEO, Brian Armstrong’s contact. Trust the crypto community, Tree of Alpha received overwhelming responses:
“For my last test before reporting this to make sure, I: -send 9M SHIB to my Coinbase account -change source account id to my SHIB account on Coinbase -put a 50 BTC limit sell order using 50 SHIB -ask people around me if they are, too, seeing it.
“And quite frankly, there aren’t many things quite as sobering yet terrifying as realizing: -you just put a 50 BTC limit sell order using 50 SHIB. -everyone else can see it. 5 minutes later, I was sending this initial tweet.”
Tree of Alpha’s Discovery Halts Coinbase’s Trading Activity
After reaching out to Coinbase, he explained the severity of the issue and the need for the trading platform to immediately stop all advanced trading and posting orders. The exchange did not hesitate to swing into action.
The hacker said it would have been a bad story for the exchange if a black-hat hacker had discovered and taken advantage of the vulnerability.
“After quickly explaining the exploit and supplying a proof of concept, I insist on how Coinbase needs to immediately stop all Advanced Trading, incl. and most importantly posting orders. Less than 30 minutes later, all markets there were in cancel-only mode…
“We will never know what exactly could have happened should a black-hat hacker try to exploit it, and it is better this way. While I could have, myself, tried to flash huge limit sell orders, responsible testing requires I only do the necessary to assess the extent of the bug.”
In conclusion, Tree of Alpha praised Coinbase’s swift response to the tip-off. He said he’s not sure he could have reached any other centralized exchange that quickly in the same situation.