Dutch financial tech firm VI Company uncovered a flaw in digital currency exchange Coinbase’s system that allowed users to add an unlimited amount of the digital currency Ether (ETH) -- a cryptocurrency running on the Ethereum network -- to their Coinbase account.
In technical terms, Coinbase users were able to exploit a “smart contract” to send Ether to as many “wallets” they could set up in their Coinbase account. A smart contract is a computer protocol designed to digitally facilitate the negotiation of a contract.
The bug has been patched, but the exploit is yet another example of how digital cryptocurrency platforms are not yet foolproof when it comes to security or design.
Merry Christmas to… myself!
In the spirit of giving, VI Company’s discovery of the bug came out of designing a Christmas “present” it would give out to clients.
VI’s present was a small amount of Ether, but delivered in a way that gave the recipient a first-person look into how the technology behind Ether, smart contracts, and blockchains worked.
“What we didn’t expect was that one of our colleagues, who decided to use Coinbase as his wallet, told us he received the Ethereum,” wrote blockchain specialist Jesse Lakerveld in a VI blog post. “After checking, we found out that no Ethereum had been sent to our colleague according to the smart contract. But according to his Coinbase wallet, he did receive it.”
Lakerveld decided to try to reproduce the issue on a smaller scale and found that users could indeed add Ethereum to Coinbase wallets without “sending” the asset from a smart contract.
Now what do we do?
The bug VI uncovered was, in the company’s words “quite big.” The conundrum was how to clue in Coinbase in a “proper” way.
VI’s team decided to go with HackerOne, a hacker-powered security platform that connects businesses with cybersecurity researchers. HackerOne is one of the good guys in the hacking world where its clients -- which include GM, Starbucks, Spotify, Nintendo, and the U.S. Department of Defense -- offer bounties to hackers who identify bugs in their systems and products.
Lucky for VI, Coinbase was a HackerOne client. In late January, the platform confirmed that the bug had been fixed and happily paid a bounty of $10,000.
“Analysis of the issue indicated only accidental loss and no exploitation attempts,” Coinbase officials said.
Coinbase hasn’t always been so lucky
Loopholes similar to what VI dug up have put Coinbase in a bind before. In January, a website glitch at Overstock.com allowed users to pay and request refunds in either Bitcoin or Bitcoin Cash. Overstock uses Coinbase’s merchant integration API.
Coinbase was also blamed for a bug that accidentally charged users as many as 17 times for the same purchase. However, the company was found not to be responsible, and both Visa and Worldpay exonerated it. Coinbase has announced that it will issue refunds to any consumer who was affected by the bug.