VI Company, a fintech firm based in the Netherlands recently discovered a potentially fatal flaw in the popular cryptocurrency exchange platform, Coinbase. According to a vulnerability report published by Hackerone, the firm discovered the flaw in December 2017 and reported same to Coinbase. The crypto exchange platform was able to fix the bug in January 2018. As a reward for its efforts, Coinbase gave the firm a $10,000 bounty.
This news comes as several other cryptocurrency exchange platforms are seeking to actively reward individuals and firms that report serious bugs in their platforms. Binance, another popular cryptocurrency exchange platform recently launched a $250,000 hacker bounty in the aftermath of an attempted hack on its system. Cryptocurrency exchange platforms continue to grapple with the threat of malicious incursions from hackers looking to steal valuable cryptocurrencies. There have been a number of high-profile digital cryptocurrency heists with millions of dollars in cryptocurrencies stolen.
Apparently, there were issues with the receiving code that controlled the receipts of ether from smart contracts. As a result, ether could be sent to Coinbase even if the smart contract couldn’t be executed. Smart contracts could be used to manipulate a Coinbase account balance by distributing ether over a number of wallets.
The main crux of the problem had to with some deficiencies in the Coinbase smart contract protocols. Usually, if there is an issue with any part of a smart contract, all transactions will be reversed. This means that the ether been sent from the wallet address to the Coinbase address. However, due to the bug, the reversal would not take place on Coinbase. This, therefore, meant that anyone a person could, in fact, add as many ether to their Coinbase balance as they wanted. According to Hackerone, the funds would not appear on the wallet address but when the Coinbase account would be inspected, the sent ether would be found.
According to an article posted on the VI Company website, the flaw was discovered quite by chance during the lead up to Christmas. In the midst of running certain tests with smart contracts to distribute “Christmas present” to its employees, an error was discovered with certain wallets on the Ethereum blockchain. An employee who had used a Coinbase wallet reported that he had indeed received the ether even though the smart contract returned an error. They had initially dismissed it as a minor issue but afterward, they tried to investigate further and it revealed that there was indeed a bug in the Coinbase system.
Perhaps luckily for Coinbase, there were exploitation attempts using this bug in their system. The team at VI Company was able to contact Coinbase via Hackerone, an online disclosure platform. Within a few weeks, the team at VI Company and the security unit at Coinbase were corresponding back and forth. After about a month, the bug was resolved. Coinbase did request for the information not to be made public until Wednesday, 21 March 2018.
Featured image by Niclas Ernst