Tree Of Alpha
Coinbase’s “largest-ever bug bounty” How a flaw in the new Advanced Trading feature would have allowed a malicious user to sell BTC or any other coin without owning them, and how Coinbase’s reaction speed on a Super Bowl Friday averted a possible crisis. Bounty: $250,000
At first, I decided to poke around the new Advanced Trading platform to find out how orders are sent and what a successful one looks like. I put an ETH-EUR order from the UI, and grabbed the request that was sent. I noticed the API needs product, source and target account ids.
In order to get a failed message, I changed the product_id to BTC-USD, but did not change the two account ids (source is my ETH wallet, target is my EUR wallet). Expecting an error because my account is not allowed to trade the BTC-USD pair, the order just … goes through.
I just used 0.0243 ETH to sell 0.0243 BTC on the BTC-USD pair, a pair I do not have access to, without holding any BTC. Hoping this is a UI bug, I check the fills on the order, and they match the API: those trades really happened, on the live order book.
For my last test before reporting this to make sure, I: -send 9M SHIB to my Coinbase account -change source account id to my SHIB account on Coinbase -put a 50 BTC limit sell order using 50 SHIB -ask people around me if they are, too, seeing it.
And quite frankly, there aren’t many things quite as sobering yet terrifying as realizing: -you just put a 50 BTC limit sell order using 50 SHIB. -everyone else can see it. 5 minutes later, I was sending this initial tweet.
After quickly explaining the exploit and supplying a proof of concept, I insist on how Coinbase needs to immediately stop all Advanced Trading, incl. and most importantly posting orders. Less than 30 minutes later, all markets there were in cancel-only mode.
For a malicious user, a few attack vectors included :
- Shorting on ftx/binance and flashing big limit sells (>100k btc) to make the market freak out.
- Actually executing a constant selling pressure by using 50 SHIB to sell 50 BTC every minute.
- Trying to withdraw the proceeds.
We will never know what exactly could have happened should a black-hat hacker try to exploit it, and it is better this way. While I could have, myself, tried to flash huge limit sell orders, responsible testing requires I only do the necessary to assess the extent of the bug.
