On February 11th, popular cryptocurrency exchange Coinbase was notified of a possible exploit on their new Advanced Trading platform. The notification came from the pseudonymous white-hat hacker “Tree of Alpha,” who received a $250k bug bounty, the largest ever awarded by Coinbase.
According to a blog posted by Coinbase on Friday, the root cause of the bug was a “missing logic validation check in a Retail Brokerage API endpoint, which allowed a user to submit trades to a specific order book using a mismatched source account.” As an example, suppose a user held two accounts, one with 100 ETH and one with 0 BTC. The user could submit a market order to the BTC-USD order book to sell 100 BTC, but manually edit his API request to specify his ETH account as the source of funds. Prior to the patch, the validation service would check to determine whether the source account had a sufficient balance to complete the trade, but not whether the source account held the proposed asset for the trade. As a result, a market order to sell 100 BTC on the BTC-USD order book would be entered on the Coinbase Exchange, even though the user did not hold any BTC.
On Twitter, white-hat hacker Tree of Alpha described the bug as urgent and potentially “market-nuking.” As one of the largest cryptocurrency exchanges in the world, Coinbase’s price feeds are used as inputs for oracles to determine the true prices of assets. The vulnerability, if exploited by malicious attackers, could allow “users to send all Coinbase order books to arbitrary prices,” Tree of Alpha told CoinDesk.
According to a timeline posted by Coinbase, Tree of Alpha first tweeted about the potential bug at 10:16 AM PST on February 11th. By 11:42 AM PST, Coinbase engineers had reproduced the bug and placed the Retail Advanced Trading platform into cancel-only mode, disabling new trades. By 4:01 PM PST, a patch for the bug was validated and released. From identification to resolution, the entire incident took just under 6 hours. Tree of Alpha commended Coinbase for their reaction speed on Twitter:
Coinbase CEO Brian Armstrong thanked Tree of Alpha for identifying the bug and working with their engineers to resolve the problem: