Coinbase bug allowed users to steal unlimited ETH

Coinbase, one of the best-used services for US-based customers, suffered a smart contract glitch, luckily without large-scale losses. A faulty smart contract logic existed for about a month, potentially allowing for infinite Ethereum balances. The exchange pointed out that no one had exploited the smart contract, although a mention was made about accidental losses.

The glitch in the smart contract allowed users to only add ETH to their Coinbase account, which is not the same as freely withdrawing Ethereum into a private-key wallet. And since Coinbase accounts are fully verified and linked to personalities, the smart contract exploit would have revealed any attempt to actually withdraw the ETH coins.

The bug was revealed to the public on March 21 but the issue had existed since December of 2017. Coinbase rewarded the Dutch research analysts’ firm, VI Company with a $10,000 reward after it discovered the glitch.

“The researchers noticed an issue with our ETH receiving code when receiving from a contract. This allowed sending of ETH to Coinbase to be credited even if the underlying contract execution failed,” explains the San Francisco trading platform.

The issue was fixed by changing the contract handling logic — Analysis of the issue indicated only accidental loss for Coinbase, and no exploitation attempts.

Tough year

Coinbase has faced continued technical difficulties for almost a year. Since a mass influx of new users in mid-2017, the US’ largest exchange and wallet provider’s technical capabilities have been stretched, resulting in delayed and missing funds, system outages and other problems.

Despite promises to beef up performance, the reaction to a bug that could technically have drained billions of dollars in cryptocurrency is telling; Coinbase only fixed the issue a month after the original report on January 26.

Coinbase is not the only exchange that has suffered from glitches that allow people to manipulate balances. This past February the Japanese exchange Zaif had a bug that let users purchase BTC for zero dollars. A month prior to the Zaif incident, the company Overstock had an API glitch which allowed users to pay for goods using BCH for a product priced in BTC.

Leave a Reply

Your email address will not be published. Required fields are marked *