Twitter user Tree_of_Alpha earned 250k in the largest ever Coinbase Bug Bounty by finding a potentially “market-nuking” flaw. Tree_of_Alpha found an exploit in Coinbase’s Advanced Trading feature. This exploit allowed ANY person to sell ANY coin without owning it. Market-nuking indeed!
The Discovery: Tinkering with UI
Coinbase launched their advanced trading platform on November 3, 2021. The purpose was to integrate sophisticated trading tools into their platform. On February 11, 2022, Twitter user Tree_of_alpha was doing some exploration of this new trading platform when they found the potential exploit.
The Flaw: A Missing Logic Validation Check in the API endpoint
The API (application programming interface) needs product, source and target account IDs. Tree_of_alpha changed the API in order to try and get a failed message, changing the product IDs but not the account IDs. A trade that should have given an error message executed normally…
Tree_of_Alpha was able to change their trade from 0.0243 ETH to 0.0243 BTC on the BTC-USD trading pair. This is a BIG DEAL. Tree_of_Alpha then verified that this wasn’t just an issue with the UI (user interface) by checking the orderbook. The trades were there.
The final trade that Tree_of_Alpha tried was exchanging SHIB for BTC in increments of 50. Shiba INU, is a dog-themed shitcoin that costs less than a penny. Bitcoin is the 1st cryptocurrency (price at print of~38k). Tree_of_Alpha transferred Shib from their wallet to Coinbase and began trying to sell it in increments of 50.
The Potential Exploit: A “Market-Nuking” Dip
Imagine if someone had written a script to sell 100 BTC every second on Coinbase. Imagine they also took out a leveraged short position on a 3rd party platform. The price on Coinbase drops off a cliff and arbitrager rush in to take advantage of price differences. People get liquidated. The leveraged short makes millions. This money moves off the trading platform. Poof, it disappears.
Coinbase claims that they have mitigating factors in place. Specifically, an automatic price protection circuit breaker activates with any strange price action. I for one am glad that it wasn’t tested by this exploit.
The Aftermath: A 250k Coinbase Bug Bounty
Twitter is an amazing piece of technology. 5 minutes after tweeting about this exploit, the Coinbase dev team had contacted Tree_of_Alpha. 30 minutes after speaking, Coinbase’s advanced trading platform was shut down. 6 hours after the initial exchange on crypto twitter, Coinbase had released a patch.
Their advanced trading platform was back online. Tree_of_Alpha received the Coinbase bug bounty of 250k. Hacks and exploits happen all the time in the Crypto space. This time, a white-hat discovered the bug and it was patched before it could be triggered by someone else.