Coinbase Advanced Market Vulnerability
Notice: This page is a new case study and some aspects have not been fully researched. Some sections may be incomplete or reflect inaccuracies present in initial sources. Please check the References at the bottom for further information and perform your own additional assessment. Please feel free to contribute by adding any missing information or sources you come across. If you are new here, please read General Tutorial on Wikis or Anatomy of a Case Study for help getting started.
Notice: This page contains sources which are not attributed to any text. The unattributed sources follow the initial description. Please assist by visiting each source, reviewing the content, and placing that reference next to any text it can be used to support. Feel free to add any information that you come across which isn't present already. Sources which don't contain any relevant information can be removed. Broken links can be replaced with versions from the Internet Archive. See General Tutorial on Wikis, Anatomy of a Case Study, and/or Citing Your Sources Guide for additional information. Thanks for your help!
Coinbase had a critical bug in their centralized trading platform, which would have allowed hackers to swap assets for one another arbitrarily in making trades. For example, a user could trade BTC to USD, but actually offer up only an equivalent amount of Shiba Inu token. No funds were lost as the issue was reported by a white hacker to CoinBase, who was awarded a $250k bounty.
This exchange or platform is based in United States, or the incident targeted people primarily in United States. [1][2][3][4][5][6][7][8][9]
About Coinbase
"Coinbase is a secure platform that makes it easy to buy, sell, and store cryptocurrency like Bitcoin, Ethereum, and more." "As the leading mainstream cryptocurrency exchange in the United States, Coinbase has become a standard on-ramp for new crypto investors. Coinbase offers a wide variety of products including cryptocurrency investing, an advanced trading platform, custodial accounts for institutions, a wallet for retail investors, and its own U.S. dollar stable-coin."
"Coinbase was founded in 2012 and is a fully regulated and licensed cryptocurrency exchange supporting all U.S. states except Hawaii. Coinbase initially only allowed for Bitcoin trading but quickly began adding cryptocurrencies that fit its decentralized criteria."
"Its list expanded to include Ethereum, Litecoin, Bitcoin Cash, XRP, and many others with the promise of more as long as its requirements are met."
CoinBase has participated in the HackerOne bug bounty program since March 2014[10].
The Reality
"Tree of Alpha stated that it was tinkering with the new advanced Coinbase trading platform to understand how orders were sent and executed. He said he placed an order on the ETH/EUR pair and noticed that the API needed a product identification, source, and recipient account."
"At first, I decided to poke around the new Advanced Trading platform to find out how orders are sent and what a successful one looks like."
"I put an ETH-EUR order from the UI, and grabbed the request that was sent."
"I noticed the API needs product, source and target account ids."
"In order to get a failed message, I changed the product_id to BTC-USD, but did not change the two account ids (source is my ETH wallet, target is my EUR wallet)."
"Expecting an error because my account is not allowed to trade the BTC-USD pair, the order just … goes through."
"I just used 0.0243 ETH to sell 0.0243 BTC on the BTC-USD pair, a pair I do not have access to, without holding any BTC."
What Happened
"Recently a hacker known as “Tree of Alpha” won a Coinbase bounty for finding and reporting a bug that could have severely harmed Coinbase."
| Date | Event | Description |
|---|---|---|
| February 11th, 2022 11:16:00 AM MST | Tree of Alpha Reports Vulnerability | Tree of Alpha posts on Twitter to announce the vulnerability, and request "a direct line with someone at @coinbase, preferably management or dev team, possibly @brian_armstrong himself". He has submitted a Hacker One report, but is afraid "this can't wait" because the problem "is potentially market-nuking"[11]. |
| February 11th, 2022 12:32:00 PM MST | Brian Armstrong Team In Touch | Brian Armstrong reports that the team is in touch already and thanks Tree of Alpha[12]. |
| February 11th, 2022 2:49:00 PM MST | Brian Armstrong Thanks Tree of Alpha | Brian Armstrong responds to thank Tree of Alpha "for working with [thei]r team"[13]. |
| February 11th, 2022 4:07:00 PM MST | Coinbase Enables Retail Advanced Trading | Coinbase announces on Twitter that the retail advanced trading service have been re-enabled[14]. |
Technical Details
"Tree of Alpha stated that it was tinkering with the new advanced Coinbase trading platform to understand how orders were sent and executed. He said he placed an order on the ETH/EUR pair and noticed that the API needed a product identification, source, and recipient account."
"At first, I decided to poke around the new Advanced Trading platform to find out how orders are sent and what a successful one looks like."
"I put an ETH-EUR order from the UI, and grabbed the request that was sent."
"I noticed the API needs product, source and target account ids."
"In order to get a failed message, I changed the product_id to BTC-USD, but did not change the two account ids (source is my ETH wallet, target is my EUR wallet)."
"Expecting an error because my account is not allowed to trade the BTC-USD pair, the order just … goes through."
"I just used 0.0243 ETH to sell 0.0243 BTC on the BTC-USD pair, a pair I do not have access to, without holding any BTC."
Total Amount Lost
No funds were lost.
Immediate Reactions
"Tree of Alpha stated that it was tinkering with the new advanced Coinbase trading platform to understand how orders were sent and executed. He said he placed an order on the ETH/EUR pair and noticed that the API needed a product identification, source, and recipient account."
"At first, I decided to poke around the new Advanced Trading platform to find out how orders are sent and what a successful one looks like."
"I put an ETH-EUR order from the UI, and grabbed the request that was sent."
"I noticed the API needs product, source and target account ids."
"In order to get a failed message, I changed the product_id to BTC-USD, but did not change the two account ids (source is my ETH wallet, target is my EUR wallet)."
"Expecting an error because my account is not allowed to trade the BTC-USD pair, the order just … goes through."
"I just used 0.0243 ETH to sell 0.0243 BTC on the BTC-USD pair, a pair I do not have access to, without holding any BTC."
"Hoping this is a UI bug, I check the fills on the order, and they match the API: those trades really happened, on the live order book."
"[T]here aren't many things quite as sobering yet terrifying as realizing you just put a 50 BTC limit sell order using 50 SHIB and everyone else can see it. 5 minutes later, I was sending this initial tweet."
"Anyone here can get me a direct line with someone at @coinbase, preferably management or dev team, possibly @brian_armstrong himself?" "I'm submitting a hacker1 report but I'm afraid this can't wait. Can't say more either, this is potentially market-nuking."
"On February 11, 2022, we received a report from a third-party researcher indicating that they had uncovered a flaw in Coinbase’s trading interface. We promptly mobilized our security incident response team to identify and patch the bug, and resolved the underlying system issue without any impact to customer funds."
Ultimate Outcome
A bounty of $250,000 USD was paid for the discovery.
"The consequences would have been so worst and beyond imagination, if any black hat hacker had found the nug, but thanks to Tree of Alpha, he not only saved Coinbase but all the traders that are trusting Coinbase security and trading billions of dollars on it."
"Thanks to the researcher who responsibly disclosed this issue, Coinbase was able to fix this bug in a matter of hours, and conclusively determine that it has never been maliciously exploited. We have also implemented additional checks to ensure that it cannot happen again."
"Around 11 p.m. UTC (6 p.m. ET), Coinbase tweeted that it had “re-enabled full service for retail advanced trading.”"[14]
"Coinbase strongly supports independent security research, and when those researchers uncover serious issues, we want to ensure that they are rewarded accordingly. As a result, we are paying our largest-ever bug bounty for this finding: $250,000."
"The hacker himself told the case on his Twitter account, where he talked about how he got the “biggest bug bounty in history.” Tree of Alpha received a total of $250K for identifying a fatal bug."
Total Amount Recovered
There do not appear to have been any funds lost in this case.
Ongoing Developments
TBD
Individual Prevention Policies
This case does not appear to have resulted in a loss to any individual.
When using any third party custodial platform (such as for trading), it is important to verify that the platform has a full backing of all assets, and that assets have been secured in a proper multi-signature wallet held by several trusted and trained individuals. If this can't be validated, then users should avoid using that platform. Unfortunately, most centralized platforms today still do not provide the level of transparency and third party validation which would be necessary to ensure that assets have been kept secure and properly backed. Therefore, the most effective strategy at present remains to learn proper self custody practices and avoid using any third party custodial platforms whenever possible.
Store the majority of funds offline. By offline, it means that the private key and/or seed phrase is exclusively held by you and not connected to any networked device. Examples of offline storage include paper wallets (seed phrase or key written down and deleted from all electronic media), hardware wallets, steel wallet devices, etc...
For the full list of how to protect your funds as an individual, check our Prevention Policies for Individuals guide.
Platform Prevention Policies
Luckily, a white hacker found the issue before it could be exploited by anyone else for profit. This case does not appear to have resulted in a loss to any platform.
The issue could have been found earlier by more thorough validation of the Coinbase platform before the new trading platform was released.
All aspects of any platform should undergo a regular validation/inspection by experts. This validation should include a security audit of any smart contracts, reporting any risks to the backing (of any customer assets, ensuring treasuries or minting functions are properly secured under the control of a multi-signature wallet, and finding any inadequacies in the level of training or integrity of the team. The recommended interval is twice prior to launch or significant system upgrade, once after 3 months, and every 6 months thereafter. It is recommended that the third party performing the inspection not be repeated within a 14 month period.
Finally, with smaller platforms or larger exploits, an industry insurance fund could assist.
Work with other industry platforms to set up a multi-signature wallet with private keys held separately by delegate signatories from seven prominent platforms and services within the industry. Establish requirements for contributions by all platforms and services, designed to be affordable for small platforms yet large enough to cover anticipated breach events. Any breach event can be brought forth by a member platform or a petition of 100 signatures for consideration by the delegate signatories. A vote of 4 or more delegate signatures is required to release any funds, which could partially or fully restore lost funds based on their assessment.
For the full list of how to protect your funds as a financial service, check our Prevention Policies for Platforms guide.
Regulatory Prevention Policies
In this case a white hacker found the issue before it could be exploited by anyone else for profit. It does not appear that any funds were lost in this case.
The risk can be reduced through greater transparency and review of the algorithms governing the trading platform.
All platforms should undergo published security and risk assessments by independent third parties. Two assessments are required at founding or major upgrade, one after 3 months, and one every 6 months thereafter. The third parties must not repeat within the past 14 months. A risk assessment needs to include what assets back customer deposits and the risk of default from any third parties being lent to. The security assessment must include ensuring a proper multi-signature wallet, and that all signatories are properly trained. Assessments must be performed on social media, databases, and DNS security.
An industry insurance fund could assist if there were user losses.
Set up a multi-signature wallet with private keys held separately by delegate signatories from seven prominent platforms and services within the industry. Establish requirements for contributions by all platforms and services within the country, designed to be affordable for small platforms yet large enough to cover anticipated breach events. Any breach event can be brought forth by a member platform or a petition of 100 signatures for consideration by the delegate signatories. A vote of 4 or more delegate signatures is required to release any funds, which could partially or fully restore lost funds based on their assessment.
For the full list of regulatory policies that can prevent loss, check our Prevention Policies for Regulators guide.
References
- ↑ Reddit - Dive into anything (Feb 23, 2022)
- ↑ Hacker Revealed A Coinbase Bug That Allowed Him To Buy 50 Bitcoins For 50 Shiba Inu - The Crypto Basic (Feb 23, 2022)
- ↑ https://www.coinbase.com/ (Dec 4, 2021)
- ↑ https://www.coinbase.com/about (Dec 4, 2021)
- ↑ Morioh (Dec 4, 2021)
- ↑ @Tree_of_Alpha Twitter (Feb 26, 2022)
- ↑ Jaw-dropping Coinbase security bug allowed users to steal unlimited cryptocurrency | The Daily Swig (Feb 26, 2022)
- ↑ https://blog.coinbase.com/retrospective-recent-coinbase-bug-bounty-award-9f127e04f060 (Feb 26, 2022)
- ↑ Coinbase Trading Vulnerability Exposed by White-Hat Hacker (Feb 26, 2022)
- ↑ HackerOne Bounty Program For CoinBase (Feb 27, 2022)
- ↑ 11.0 11.1 Tree of Alpha - "Anyone here can get me a direct line with someone at @coinbase, preferably management or dev team, possibly @brian_armstrong himself? I'm submitting a hacker1 report but I'm afraid this can't wait. Can't say more either, this is potentially market-nuking. DMs open." - Twitter (Feb 26, 2022)
- ↑ Brian Armstrong - "Sounds like our team is in touch, thx for connecting with them, and we’ll investigate." - Twitter (Feb 26, 2022)
- ↑ Brian Armstrong - "Tree_of_Alpha you're awesome - a big thank you for working with our team love how the crypto community helps each other out!" - Twitter (Feb 27, 2022)
- ↑ 14.0 14.1 Coinbase Support - "We’ve re-enabled full service for retail advanced trading. Greatly appreciate the patience and understanding of those retail advanced trading customers using our exciting new platform prior to full-public launch. Customer funds remain safe and were not impacted." - Twitter (Feb 27, 2022)