LARGEST EVER Coinbase Bug Bounty: 250k 

Twitter user Tree_of_Alpha earned 250k in the largest ever Coinbase Bug Bounty by finding a potentially “market-nuking” flaw. Tree_of_Alpha found an exploit in Coinbase’s Advanced Trading feature. This exploit allowed ANY person to sell ANY coin without owning it. Market-nuking indeed!

The Discovery: Tinkering with UI

Coinbase launched their advanced trading platform on November 3, 2021. The purpose was to integrate sophisticated trading tools into their platform. On February 11, 2022, Twitter user Tree_of_alpha was doing some exploration of this new trading platform when they found the potential exploit. 

The Flaw: A Missing Logic Validation Check in the API endpoint

The exploit was changing the “product_id:”

The API (application programming interface) needs product, source and target account IDs. Tree_of_alpha changed the API in order to try and get a failed message, changing the product IDs but not the account IDs. A trade that should have given an error message executed normally… 

Tree_of_Alpha was able to change their trade from 0.0243 ETH to 0.0243 BTC on the BTC-USD trading pair. This is a BIG DEAL. Tree_of_Alpha then verified that this wasn’t just an issue with the UI (user interface) by checking the orderbook. The trades were there. 

The final trade that Tree_of_Alpha tried was exchanging SHIB for BTC in increments of 50. Shiba INU, is a dog-themed shitcoin that costs less than a penny. Bitcoin is the 1st cryptocurrency (price at print of~38k). Tree_of_Alpha transferred Shib from their wallet to Coinbase and began trying to sell it in increments of 50. 

The Potential Exploit: A “Market-Nuking” Dip

Imagine if someone had written a script to sell 100 BTC every second on Coinbase. Imagine they also took out a leveraged short position on a 3rd party platform. The price on Coinbase drops off a cliff and arbitrager rush in to take advantage of price differences. People get liquidated. The leveraged short makes millions. This money moves off the trading platform. Poof, it disappears. 

Coinbase claims that they have mitigating factors in place. Specifically, an automatic price protection circuit breaker activates with any strange price action. I for one am glad that it wasn’t tested by this exploit.

The Aftermath: A 250k Coinbase Bug Bounty

Twitter is an amazing piece of technology. 5 minutes after tweeting about this exploit, the Coinbase dev team had contacted Tree_of_Alpha. 30 minutes after speaking, Coinbase’s advanced trading platform was shut down. 6 hours after the initial exchange on crypto twitter, Coinbase had released a patch.

Their advanced trading platform was back online. Tree_of_Alpha received the Coinbase bug bounty of 250k. Hacks and exploits happen all the time in the Crypto space. This time, a white-hat discovered the bug and it was patched before it could be triggered by someone else.

Photo of author

Written By BowTied Ass

Disclosure

This article may contain links to third-party websites or other content for information purposes. BowTiedIsland may receive a commission at no cost to you if you purchase a product after clicking one of these links. The Third-Party Sites are not under the control of BowTiedIsland, and BowTiedIsland is not responsible for the content of any Third-Party Site. All information contained herein is the opinion of the writer and does not constitute financial advice. We aim to act as a neutral third party and aid in your research and analysis.


The Jungle


Crypto, Investing, and E-Commerce with BowTied Bull

The future is internet based, therefore we have a triangle based approach with crypto, e-commerce business making and Investing in traditional assets

The Culture War with BowTiedRanger

Whether you’re a political junkie or just interested in current events. 

You’ve come to the right place for analysis of the most relevant current events and political issues.

Fitness With BowTiedOx

BowTiedOx provides you a place to find all of his latest programs and guides.

Weekly newsletters that cover fitness, health, and mindset, all grounded in the fundamentals of physiology.

Media Production with BowTied Turkey and BowTied Tamarin

Video is no longer optional.

Don’t get left behind.

Your brand deserves professional videos to engage your audience.

Art & Graphic Design with BowTied Patriot

BowTied Patriot is a graphic artist who specializes in photography, mixed medium custom artwork, and NFT creation.

Join BowTiedPatriot as he dives into making Art in Web3.0 and The Metaverse.

Cooking with BowTiedOctopod

Learn secrets from a fine dining chef for maximum flavor and time-saving efficiency

Newsletters on Ingredients, Techniques and Flavor hacks that will have you eating better. We will never eat bugs!

Meme Warfare with DgenFren

Increase your online engagement, organically influence narratives, and build your online persona by using marketing that your target audience actually wants: memes.

Learn How to Sell with BowTiedSalesGuy

Sales is one of the most transferrable life skills, yet few know how to actually sell.

Traditional sales tactics don’t cut it in today’s hyper competitive world.

Learn the secrets from a Chad Salesman and change your Life forever.

Ecommerce with BowTiedOpossum

Learn the skills to start and build your first online business.

Want to build a business that travels with you?

Learn from an industry veteran that has worked on and with brands you already know.