Cryptocurrency exchange desk and wallet provider Coinbase recently saw researchers from Dutch fintech firm VI Company help it solve a potentially disastrous bug, that allowed any user to give himself unlimited free ether (ETH).
Upon finding the bug, the Dutch firm contacted Coinbase in late December last year, and the problem was fixed by January. Coinbase has since awarded the company a $10,000 bug bounty payment.
The vulnerability itself was described by researchers at VI Company as follows: “By using a smart contract to distribute ether over a set of wallets you can manipulate the account balance of your Coinbase account.”
The researchers added that:
“If 1 of the internal transactions in the smart contract fails all transactions before that will be reversed. But on Coinbase these transactions will not be reversed, meaning someone could add as much ether to their balance as they want.”
According to VI Company, all anyone had to do was set up a smart contract “with a few valid Coinbase wallets and a final faulty wallet.” Then, the user needed to transfer funds to the smart contract, and “execute smart contract adding the set amount of ether to the Coinbase wallets without ever actually leaving the smart contract wallet because the complete transaction fails at the last wallet.”
Then, it was just a matter of repeating these steps until it was time to cash out. This means that any user could have potentially abused the glitch to earn free ether at Coinbase’s expense.
The earning potential would be virtually unlimited. The Rotterdam-based researchers decided to not take advantage of it, and instead used HackerOne to privately inform Coinbase about the bug. At press time, it’s unclear if anyone managed to exploit the vulnerability to get rich.
Discovering the bug
VI Company notably came across the vulnerability while conducting tests on the Ethereum blockchain for an unrelated project. During the testing, according to researcher Jesse Lakerveld, most wallets showed them an error, which stopped the smart contract and reversed all transactions.
One of the researchers used a Coinbase wallet, and noticed the company credited his account with ether, despite none being sent. Initially, it was written off as “an odd that happens from time to time.”
The researchers then attempted to recreate the bug, and found out it was a critical vulnerability. As reported by Core Media, it isn’t the first one Coinbase has dealt with. Last month, it charged its customers up to 50 times on a single purchase, while earlier this month, it reportedly lost some of its customers’ bitcoins.