Coinbase Bug Allowed Unlimited Ether Balances
On March 21, the popular cryptocurrency exchange Coinbase publicly revealed that its system had a bug which enabled users to add as much Ethereum as they wanted to their account balances. But thanks to a bug report, the company managed to fix this glitch quickly.
Smart Contracts Used to Manipulate Ethereum Balances
VI Company, a Dutch firm specializing in Fin-Tech, discovered the vulnerability and publicly posted on its HackerOne account about it on Wednesday. The glitch was first reported in late December 2017, and Coinbase addressed this issue on January 25th saying the bug had been solved. Coinbase rewarded the research analysts’ firm with a $10,000 bounty for discovering the problem.
The researchers had found that the bug in the platform allowed a user to add as much ether as they wished to their accounts by using a smart contract.
“The researchers noticed an issue with our ETH receiving code when receiving from a contract. This allowed sending of ETH to Coinbase to be credited even if the underlying contract execution failed,” explains the exchange platform.
“The issue was fixed by changing the contract handling logic — Analysis of the issue indicated only accidental loss for Coinbase, and no exploitation attempts.”
Not the Only Exchange with This Kind of Bug
According to VI Company’s report, a set of digital wallets controlled by a smart contract could manipulate their transfer balance and trick Coinbase into believing a transfer happened. The company explains that if an internal transaction were to fail, all transactions before said transaction would be reversed. However, on the Coinbase platform, the transactions did not revert.
“On Coinbase these transactions will not be reversed, meaning someone could add as much ether to their balance as they want,” said the third party researcher regarding this disclosure.
But Coinbase is not the only trading platform to be affected by such bugs that enable balance manipulation. This February the Japanese exchange Zaif had a glitch that let users purchase BTC for zero dollars. A month before the Zaif episode, the company Overstock had an API glitch which enabled users to pay for assets using BCH for products priced in BTC.
Whether some users managed to spot and exploit Coinbase’s glitch to their advantage still remains unknown.