Coinbase "nuclear-grade" program bug, selling ETH as BTC! Offering up to a record high $250,000 bug bounty
Twitter user Tree of Alpha discovered a "nuclear-grade vulnerability" in the advanced trading feature of the cryptocurrency exchange Coinbase on the 12th of this month. After promptly reporting the issue to the official team and resolving the problem, Coinbase offered a bug bounty of up to $250,000. However, the community seems to think that Coinbase is being stingy and should pay a higher amount.
Table of Contents
Serious Trading Bug on Coinbase
This bug was discovered by Twitter user Tree of Alpha when trying out Coinbase's advanced trading platform, which is currently in the Beta stage. Initially, they prepared two wallets holding ETH and Euro (EUR) separately, and executed an ETH-EUR sell order on the trading interface, selling 0.024 ETH. It was found in the request API that completing a transaction requires the trading pair, source account ID, and target account ID.
Out of curiosity, Tree of Alpha wanted to see the error message for a failed transaction, so they changed the trading pair to BTC-USD, while the original two account IDs remained unchanged. Strangely, the transaction that was expected to fail actually went through successfully.
Without holding any BTC, the 0.024 ETH in Tree of Alpha's wallet was sold as 0.024 BTC.
According to Coinbase's bug retrospective article, this occurred due to a lack of logic validation checks in the API endpoint. When submitting a transaction request, the system only checked the account balance and did not verify if the trading pair matched, allowing transactions to be submitted even without holding the assets.
Subsequently, Coinbase promptly fixed the bug and awarded Tree of Alpha $250,000, the highest bug bounty in Coinbase's history.
Is Coinbase's Bug Bounty Too Low?
Following this incident, Larry Cermak, the Head of Research at The Block, stated that Coinbase's bug bounty should be at least one level higher, as the exploit of such a bug by malicious hackers would undoubtedly cause a market-collapsing crash. If Tree of Alpha had not requested this amount themselves, there is no reason why Coinbase's bug bounty should be lower than most DeFi protocols.
In an interview with Tree of Alpha by The Block, the question of whether the bounty was too low was raised. He mentioned that considering existing biases in DeFi protocol bounties, it is undoubtedly too low, with Twitter users suggesting a seven-digit bounty. However, the constraints on hackers differ between DeFi protocols and centralized exchanges listed in the U.S., as the latter can easily attract judicial intervention when incidents occur. Additionally, determining the size of bug bounties is challenging - they need to be sufficient to incentivize gray hat hackers to turn into white hats but not large enough to encourage everyone to start testing various error possibilities on their website.
However, according to Coinbase's bug bounty program, in the most challenging situations, Coinbase is only willing to pay a $50,000 reward. Offering $250,000 in this case could be considered more generous.
Related
- FBI issues coins to catch market makers! Counterfeiting trades amount to trillions in a single day, selling services to exploit investors.
- Binance September Analysis: wBTC trading continues to hit new highs, ETH deflation narrative challenged
- Stablecoin Summit | Exclusive Interview with cLabs CEO: The chain with the highest number of active stablecoin users is no longer Tron