Coinbase Announced its $250,000 Bug Bounty After being Informed a Flaw on February 11
Coinbase has announced a $250,000 reward for people who discovered security flaws after being informed of a flaw on February 11. The crypto exchange received a report from a third-party researcher indicating that they had uncovered a flaw in the crypto exchange’s trading interface.
According to a recent Coinbase’s blog post, this is the timeline:
- 10:16 AM: A member of the crypto community tweets that they have uncovered a serious flaw in the Coinbase trading interface, and requests contacts in the platform’s Security team.
- 11:00 AM: Based on limited initial information provided by intermediaries, the platform’s Security declares an incident and mobilizes engineering resources to begin testing all trading interfaces to determine the validity of the alleged bug.
- 11:21 AM: The crypto researcher files a vulnerability report via HackerOne, Coinbase’s bug bounty platform, indicating that the flaw resides in a specific API for Retail Advanced Trading. The platform’s engineers also complete a review of all other user interfaces and Coinbase Exchange APIs and determine that they are not impacted.
- 11:42 AM: The crypto exchange engineers are able to reproduce the bug, and the Retail Advanced Trading platform is placed into cancel-only mode, disabling new trades.
- 4:01 PM: A patch is validated and released, resolving the incident.
CoinBase Flaw’s Root Cause
The underlying cause of the bug was a missing logic validation check in a Retail Brokerage API endpoint, which allowed a user to submit trades to a specific order book using a mismatched source account. This API is only utilized by their Retail Advanced Trading platform, which is currently in limited beta release.
To give an example:
- A user has an account with 100 SHIB, and a second account with 0 BTC.
- The user submits a market order to the BTC-USD order book to sell 100 BTC, but manually edits their API request to specify their SHIB account as the source of funds.
- Here, the validation service would check to determine whether the source account had a sufficient balance to complete the trade, but not whether the source account matched the proposed asset for submitting the trade.
- As a result, a market order to sell 100 BTC on the BTC-USD order book would be entered on the Coinbase Exchange.
There were mitigating factors that would have limited the impact of this flaw had it been exploited at scale. For example, the crypto exchange has automatic price protection circuit breakers, and their trade surveillance team continuously monitors their markets for health and anomalous trading activity.
Join CoinCu Telegram to keep track of news: https://t.me/coincunews