How to hack Coinbase to steal cryptocurrency? Researcher details an easy way to do it
A cybersecurity specialist received a bug bounty of $250,000 USD thanks to his report of a critical vulnerability in the cryptocurrency exchange whose exploitation would have allowed a complex electronic fraud to be carried out.
The researcher identified as Tree of Alpha was recognized by the exchange platform, receiving one of the largest vulnerability reporting rewards Coinbase has ever delivered.
In his report, the researcher mentions that the flaw would have allowed Coinbase users to sell cryptocurrencies that were not theirs due to the absence of proper verification on an API endpoint on the platform; a user exploiting the flaw would have been able to send transactions to a specific order book using an unmatched source account, another way of saying they would be stealing cryptocurrency.
In this regard, the exchange platform published a statement describing an attack: “Suppose a user controls an account with 100 SHIB and another with 0 Bitcoin; the user could send a market order to the BTC-USD book in order to sell 100 Bitcoin, manually editing their API request to specify the SHIB account as the source of the exchanged assets.”
At this point, the validation service would check to determine if the source account had a sufficient balance to complete the trade, but not if the origin account matched the asset mentioned in the transaction: “In this way, a market order to sell 100 BTC in the BTC-USD order book would be entered into Coinbase Exchange.”
Through his Twitter account, the researcher described how the flaw was exploited to sell 0.0243 BTC using a backup in Ethereum: “These transactions occurred in truth,” says Alpha. Upon discovering the problem, the researcher reported the bug to Coinbase’s bug bounty program, managed by the HackerOne platform.
Coinbase acknowledged and fixed the error less than six hours after receiving the report, although in its message the platform ruled out that the error had been actively exploited: “This API is only used by our Retail Advanced Trading platform, which is currently in a very limited beta version.”
To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.
Originally published at https://www.securitynewspaper.com on February 22, 2022.