Coinbase Bug Let Users Steal Unlimited ETH

0
810
Coinbase
(Credit: The Verge)

A Coinbase bug could have just given you a one-off opportunity to become a cryptocurrency multi-billionaire.

Coinbase
(Credit: The Verge)

In a report made public yesterday, the Dutch fintech firm discovered a vulnerability that allowed users to steal as much Ethereum (ETH) as they want. The glitch was first reported in December 27 last year.

The US’ largest exchange awarded VI Company a bounty of $10,000 for spotting the smart contract issue.

“By using a smart contract to distribute ether over a set of wallets you can manipulate the account balance of your Coinbase account,” the VI Company outlined in the report.

“If one of the internal transactions in the smart contract fails all transactions before that will be reversed. But on Coinbase these transactions will not be reversed”.

This meant that someone could have abused this issue to credit their wallets with infinite amounts of Ethereum.

The researchers at VI Company uploaded screenshots of the transactions on the app as well as a link of the transaction to Etherscan.

If you’re wondering how they did the transaction, you’re in luck. The researches explained the process of the exploit:

  • Setup a smart contract with a few valid Coinbase wallets and 1 final faulty wallet (always throw exception when receiving funds smart contract for example)
  • Transfer appropriate funds to smart contract.
  • Execute smart contract adding the set amount of ether to the Coinbase wallets without ever actually leaving the smart contract wallet because the complete transaction fails at the last wallet.
  • Repeat until you have more than enough ethereum in your Coinbase wallet.
  • Cash out, transfer to off site wallet.

It is unclear if there were people who managed to abuse the glitch.

According to Coinbase however, “Analysis of the issue indicated only accidental loss for Coinbase, and no exploitation attempts”.

The US-based exchanged has been facing continued technical difficulties for almost a year now. This is mainly because of the huge influx of new users in the mid-2017.