Coinbase and the story of the latest ‘market-nuking’ vulnerability

ambcrypto.com:

If you were a white hat hacker and you had to choose between exploiting a “potentially market-nuking” vulnerability and accepting a $250,000 bug bounty, what would you pick? This month, one white hat hacker chose the latter, leading to a big sigh of relief from the Coinbase exchange.

The engineer, who goes by the name “Tree of Alpha” on Twitter [@Tree_of_Alpha] shared a thread with the details of the vulnerability and how they tested the bug before reaching out to Coinbase. Tree of Alpha claimed that the vulnerability on the exchange giant’s Advanced Trading Feature might have let a less ethical hacker walk away with profits after selling Bitcoin and other coins that they didn’t even hold.

Tree of Alpha also claimed,

“I just used 0.0243 ETH to sell 0.0243 BTC on the BTC-USD pair, a pair I do not have access to, without holding any BTC.”

Next, they tried to place a 50 BTC limit sell order using 50 SHIB. When other people reportedly said they too could see this, Tree of Alpha tweeted for help to reach Coinbase’s top execs. Praising Coinbase’s reaction speed, Tree of Alpha said,

“While I sometimes have my beef with Coinbase, I am not sure I could have reached any other CEX that quickly in the same situation.”

The crypto exchange recorded in its own press release – dated 19 February – that the white hat hacker raised the issue on 11 February. Both parties agreed that contact was quickly made so that the bug could be identified and then patched.

— Brian Armstrong – barmstrong.eth (@brian_armstrong) February 11, 2022

Tree of Alpha approached the company as part of HackerOne, Coinbase’s bug bounty platform.

Coinbase