Coinbase Smart Contract Temporarily Allowed Unlimited ETH Withdrawals
Mar 23, 2018, 8:45PMA bug discovered by the VI Company in a Coinbase Smart Contract could have allowed a user to use faulty wallets to repeatedly drain every last ETH from Coinbase´s ETH reserves.
Coinbase, one of the biggest names in the US crypto market temporarily suffered a smart contract bug that could have lost the company millions of dollars in ETH. The Dutch security firm VI Company recently discovered and reported the flaw. According to reports by VI, the bug was initially detected in December 2017, but was being studied in depth before being fixed to avoid any possibility of manipulation by malicious players.
Coinbase´s identity-oriented MO would have allowed them to identify any potential hackers. However, no attempts at exploiting the bug were reported by Coinbase.
“The researchers noticed an issue with our ETH receiving code when receiving from a contract. This allowed sending of ETH to Coinbase to be credited even if the underlying contract execution failed. The issue was fixed by changing the contract handling logic. Analysis of the issue indicated only accidental loss for Coinbase and no exploitation attempts.” - Coinbase spokespersons via the HackerOne platform.
The VI Company used HackerOne to contact Coinbase and resolve the issue. HackerOne is an online platform where a commercial entity can communicate discretely with other companies to, among other things, disclose bugs they have discovered.
Blockchain specialist Jesse Lakerveld from The VI company declared:
“You can imagine that some companies might not be very happy if you post stuff like this in public. Luckily, a security class at the Hogeschool Rotterdam showed me the platform HackerOne and how it can help in these kinds of situations.”
To thank VI for this important discovery, and their discretion in reporting it, Coinbase awarded the Dutch company $10,000.
A bug like this on Coinbase, one of the biggest players in the crypto world, shows us that there is still plenty of work to be done to secure crypto exchanges and Smart Contracts from breaches. An error like this could potentially have cost Coinbase or its end-users many millions of dollars, as well as undermining the public´s trust in Smart Contract technologies: after all, it has happened before.
Disclaimer: information contained herein is provided without considering your personal circumstances, therefore should not be construed as financial advice, investment recommendation or an offer of, or solicitation for, any transactions in cryptocurrencies.