Photograph of a User Using the Coinbase App
© Coinbase/Shutterstock.com

A recently discovered security flaw affecting one of the world’s largest cryptocurrency exchanges Coinbase could have had “market-nuking” potential for the cryptocurrency landscape at large.

Cybercriminals could have sold cryptocurrency at will due to a validation flaw without actually owning any assets, stemming from an issue with the new Advanced Trading feature, security engineer Tree of Alpha (Alpha) said.

Alpha had been tracking the issue since Feb. 11, 2022, and thanks to the emergency response by security engineers the vulnerability was addressed in a matter of hours. Coinbase awarded a record $250,000 to Alpha for the bug bounty.

Potentially “Market-nuking” Flaw

Coinbase’s blog post deconstructed the security flaw, which was caused by a “missing logic validation check in a Retail Brokerage API endpoint.” The API is utilized by Coinbase’s beta-release Retail Advanced Trading Platform.

The flaw allowed trades to be submitted using a “mismatched source account” to a specific order book. A user can have several wallets for a specific crypto asset, but Coinbase’s validation service would not check if a wallet “was the required type (BTC wallet if BTC sell)” Alpha said.

By modifying the API request, a cybercriminal could flip the system and reap enormous dividends.

Alpha’s Testing Process

The discovery began when Alpha decided to “poke around” Coinbase’s Advanced Trading platform to look at how orders are sent and what a successful order looks like.

During testing, Alpha grabbed an “ETH-EUR” (Ethereum-Euro) request, upon which he “noticed the API needs product, source and target account ids.” He then modified the “product_id” to “BTC-USD” but did not change account IDs. “Expecting an error because my account is not allowed to trade the BTC-USD pair.”

However “the order just … goes through,” he added. “Hoping this is a UI bug, I check the fills on the order, and they match the API: those trades really happened, on the live order book” wrote Alpha.

“oh jesus f***” Alpha said on his Twitter feed, upon realizing what had just happened. Following this, he immediately reached out to Coinbase.

What is an API?

An API (Application Programming Interface) is a key piece of software for developers that can unify elements into one and allows e.g., collaboration and reduction in the amount of code writing required.

What Could Have Happened?

According to Alpha, by exploiting the vulnerability, a cybercriminal could have:

  • Freaked out the market by exchanging large amounts of assets across various exchanges
  • Executed constant selling pressure “by using 50 SHIB to sell 50 BTC every minute”
  • Attempted to withdraw the proceeds

Fixed in the Nick of Time

A high-scale impact caused by the security flaw could not have happened because of “automatic price protection circuit breakers” and the monitoring of trade surveillance teams, Coinbase says.

Upon discovery of the flaw, Coinbase immediately halted all Advanced Trading, order posting and eventually switched all their markets to “cancel-only mode” which disables new trades.

Coinbase engineers also confirmed that no other Coinbase Exchange APIs or user interfaces were compromised by the security flaw. Since the incident, a patch has been released that mitigates the security flaw.

Record $250,000 Bug Bounty Award

Coinbase paid out its “largest-ever bug bounty” to security engineer Tree of Alpha via HackerOne, the bug bounty program it is affiliated with.

“are you genius ser? I am jealous of your skills and talents” commented a user named RJ on Alpha’s Twitter feed.

“We will never know what exactly could have happened should a black-hat hacker try to exploit it” wrote Alpha.

Digital Assets at Risk in 2022

Cryptocurrency and digital asset cybercrime are going to be big this year as these sectors keep growing in popularity. This is evident in the slew of recent crypto-related incidents, including unprecedented crackdowns on illegal financial schemes by the U.S. Department of Justice.

The launch of dedicated government departments to battle digital asset cybercrime and analyze the blockchain is also well underway in the US. Furthermore, other wildly successful forms of cybercrime such as phishing are currently shaking the novel realm of NFTs.

If you would like to start your own cryptocurrency adventure, find out how to buy and sell Bitcoin safely here.

Leave a comment