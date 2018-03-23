App
Cryptocurrency
Mar 23, 2018 04:19 PM IST | Source: Moneycontrol.com

Cryptocurrency exchange bug allowed users to transfer unlimited Ethereum to themselves

The now solved bug could have been disastrous for Coinbase

Moneycontrol News @moneycontrolcom

A Dutch fintech company discovered a critical bug in the cryptocurrency exchange Coinbase's system which could have proven to be very costly if exploited by an entity with malicious intent. The bug has been resolved by the Coinbase team after being reported.

The vulnerability was publically disclosed on Wednesday by the Dutch firm VI Company on its HackerOne account. It was initially reported at the end of December, last year.

The disclosure revealed that the bug in the smart contract (terms which regulate the transfer of cryptocurrencies based on Ethereum blockchain) allowed users to manipulate the account balance of his or her Coinbase account.

VI Company describing the vulnerability said, by design if one of the internal transactions in the smart contract fails all transactions before that should be reversed. But on Coinbase these transactions did not reverse, meaning someone could add as much ether to their balance as they want.

related news

However, this balance would show only in the Coinbase wallet. If a wallet not linked to Coinbase is used, the bug would not surface. The VI Company team also published the steps which could have got a user all the ether they could ever spend:

— Setup a smart contract with a few valid Coinbase wallets and [one] final faulty wallet

— Transfer appropriate funds to smart contract

— Execute smart contract adding the set amount of ether to the Coinbase wallets without ever actually leaving the smart contract wallet because the complete transaction fails at the last wallet

— Repeat until you have more than enough ether in your Coinbase wallet

—Cash out.

“The issue was fixed by changing the contract handling logic. Analysis of the issue indicated only accidental loss for Coinbase, and no exploitation attempts,” Coinbase said.

“The Security team thanks VI Company for the quick disclosure, and also the internal team for pushing a fix within hours. We do appreciate VI Company's patience as the full communication loop back to HackerOne took significantly longer than the fix deployment cycle.”

The cryptocurrency exchange rewarded the team who discovered the bug with USD 10,000. “Yes, a USD 10,000 reward is quite a bit of money, but comparing this to the potential amount of damage this bug could have done makes the reward seem tiny,” Jesse Lakerveld who was part of the team who discovered the bug, wrote in a blog post.

